CN110300083B

CN110300083B - Method, terminal and verification server for acquiring identity information

Info

Publication number: CN110300083B
Application number: CN201810238350.XA
Authority: CN
Inventors: 赵晓娜
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2018-03-22
Filing date: 2018-03-22
Publication date: 2021-02-12
Anticipated expiration: 2038-03-22
Also published as: CN110300083A; WO2019179394A1

Abstract

The embodiment of the invention relates to a method, a terminal and a verification server for acquiring identity information. The method comprises the following steps: the terminal sends a first message, wherein the first message comprises first electronic identity data and first information, the first electronic identity data is used for verifying the identity of an electronic identity holder corresponding to the first electronic identity data by a verification server, and when the identity verification of the electronic identity holder passes, the first information is used for verifying the identity information required by the first service acquired by the server from all identity information of the electronic identity holder; the terminal receives a second message including the required identity information or an identity information check result obtained based on the required identity information. According to the embodiment of the invention, the identity information or the identity information check result required by the service can be obtained, so that the leakage of key privacy data and the redundancy of unnecessary information caused by the active presentation of the identity document by a user are avoided, and the user experience is improved.

Description

Method, terminal and verification server for acquiring identity information

Technical Field

The present application relates to the field of identity authentication, and in particular, to a method, a terminal, and a verification server for acquiring identity information.

Background

With the development of society and the diversification of business, the authentication of the citizen identity is more and more common and indispensable, and the privacy protection of the citizen identity information is more and more necessary.

The electronic Identity (eID) technology is based on a cryptographic technology, takes an intelligent security chip as a carrier, is signed by a public security organization and is issued to a unique electronic Identity of a citizen, and the Identity of the citizen can be identified on the premise of not revealing the Identity information of the citizen. Among the implemented eID carriers, there are physical cards such as an Integrated Circuit (IC) Card, a social security Card, a Subscriber Identity Module (SIM) Card, and in the future, there are smart terminals such as wearable devices and mobile phones. In China, the eID technology is mainly used for on-line remote identity identification, and the main use scenes comprise payment, social networking sites, electronic commerce, logistics, electronic government affairs and the like.

When issuing the eID, an issuing mechanism (namely a public security department) calculates a unique code representing the identity of the citizen by using the citizen identity information and the random number, namely an electronic identity code (eIDcode), and the citizen identity information is irreversibly deduced through the electronic identity code. The electronic identity code is then securely stored in the eID carrier along with a public key certificate generated for the eID carrier and a private key generated by the eID carrier. When a service authenticates the identity of a service requester based on an eID technology, an eID carrier generates signature data (also called a signature) for the service by using a private key stored in the eID carrier, and the service application acquires the signature and then sends the signature to a network identity service providing mechanism, so that the network identity service providing mechanism verifies the signature through a signing and issuing mechanism. Once verified, the service is certified to be recognized by an eID holder (also known as an electronic identity holder), i.e., the service requestor is considered the eID holder. However, when some businesses need selective authentication of part of the base identity information of the eld holders, for example, checking the age of a consumer when buying cigarettes and wines, checking the photo, name and even marital status of a traveler when staying in a store, checking the name, contact information and the like of a sender when receiving and sending an express, checking the photo of a driver, the validity period of an electronic driving license and the like when a traffic police checks, checking the gender of a user by using some public facilities (such as a changing room and the like), and the like. If the service provider needs to check some information, the user may be further required to actively provide plaintext information to the service provider, for example, the user may need to manually input his or her own personal identification number and other privacy information when performing online operation, which is easy to cause leakage of privacy data. In addition, when the identity information of a user is checked online at present, the user often needs to provide a service provider with valid certificates (such as second-generation identity cards, drivers licenses, passports and the like) or main privacy data (such as names, identification numbers and the like) in the certificates, and besides the possibility of leakage of key privacy data, redundancy of unnecessary information may exist.

Disclosure of Invention

The embodiment of the invention provides a method, a terminal and a verification server for acquiring identity information, wherein the method can acquire the identity information or the identity information check result required by a service, thereby avoiding the leakage of key privacy data and the redundancy of unnecessary information possibly caused by actively providing effective identity documents by a user and improving the user experience.

In a first aspect, a method for obtaining identity information is provided. The method comprises the steps that a terminal sends a first message, wherein the first message comprises first electronic identity data and first information, the first electronic identity data is used for a verification server to verify the identity of an electronic identity holder corresponding to the first electronic identity data, and when the identity verification of the electronic identity holder passes, the first information is used for the verification server to obtain identity information required by a first service from all identity information of the electronic identity holder; and the terminal receives a second message, wherein the second message comprises the required identity information or an identity information check result obtained based on the required identity information.

In the embodiment of the present invention, the first message sent by the terminal includes not only the first electronic identity data but also the first information, so that on one hand, the authentication server can authenticate the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data, and on the other hand, when the identity authentication of the electronic identity holder passes, the authentication server can obtain the identity information required by the first service from all the identity information of the electronic identity holder according to the first information, and the terminal receives the second message, where the second message includes the required identity information or the identity information verification result obtained based on the required identity information. Therefore, the terminal can acquire the required identity information while authenticating the identity, the service requester is not required to provide plaintext information to the service provider, the leakage of key privacy data can be avoided, and the redundancy of unnecessary information is avoided.

In a possible implementation manner, after the terminal receives the second message, when the required identity information meets the requirement for executing the first service or the identity information check result is yes, the terminal executes the first service. According to the embodiment, the execution of the service meeting the service requirement can be automatically triggered.

In a possible embodiment, the terminal sends the first message to the authentication server; the terminal receives the second message from the authentication server. According to the embodiment, the terminal directly requests the authentication server for identity authentication, and the communication path only passes through the terminal and the authentication server and does not pass through the service server, so that the communication flow can be simplified, and the time can be shortened.

In a possible implementation manner, the terminal sends the first message to a service server corresponding to the first service, where the first message further includes indication information, and the indication information is used to indicate the service server to send the first electronic identity data and the first information to the verification server; and the terminal receives the second message from the service server. According to the embodiment, the terminal requests the authentication server for identity authentication through the service server, and the communication path not only passes through the terminal and the authentication server, but also passes through the service server, so that the service server can conveniently control the service, and the security is improved.

In one possible embodiment, the method further comprises: the terminal acquires the biological characteristic information of the service request party of the first service; and when the biological characteristic information of the service request party is consistent with the biological characteristic information of the electronic identity holding party, the terminal executes the first service. According to the embodiment, the terminal can acquire the required identity information while authenticating the identity, and can ensure the people-card unification (namely the electronic identity holder is consistent with the service requester). On one hand, the service requester is not required to provide plaintext information for the service provider, so that the leakage of key privacy data can be avoided, and the redundancy of unnecessary information is avoided; on the other hand, the electronic identity can be prevented from being stolen.

In a possible embodiment, before the terminal executes the first service, the terminal compares the biometric information of the service requester with the biometric information of the required identity information to determine that the biometric information of the service requester is consistent with the biometric information of the electronic identity holder. According to this embodiment, the above comparison process performed by the terminal can accommodate the provision that certain biometric information cannot be transmitted out of the terminal.

In a possible implementation manner, before the terminal executes the first service, sending biometric information of the service requester to a service server corresponding to the first service, where the biometric information of the service requester is used for the service server to compare the biometric information of the service requester with biometric information in the required identity information; the terminal receives the result of the comparison from the service server. According to the embodiment, the business server executes the comparison process, so that the business server can control the business conveniently, the security is improved, and the resource overhead on the terminal can be reduced.

In a possible implementation manner, before the terminal executes the first service, sending the biometric information of the service requester to the authentication server, where the biometric information of the service requester is used for the authentication server to compare the biometric information of the service requester with the biometric information in the required identity information; the terminal receives the result of the comparison from the authentication server. According to the embodiment, the verification server executes the comparison process, so that the verification server does not transmit the biological characteristic information of the electronic identity holder, the security is improved, and the resource overhead on the terminal can be reduced.

In a possible implementation, the first information is the required identity information identifier; or, the first information is a service application identifier for executing the first service and a service type identifier for the first service. According to this embodiment, when the first information is the required identity information identifier, the authentication server may obtain the identity information required by the first service from all the identity information corresponding to the first electronic identity data according to the required identity information identifier; when the first information is a service application identifier for executing the first service and a service type identifier of the first service, the authentication server may determine not only to authenticate the identity of the corresponding electronic identity holder based on said first electronic identity data based on the service type identifier of said first service, and when the identity verification is passed, obtaining the identity information required by the first service from all the identity information corresponding to the first electronic identity data, the method comprises the steps that a mapping table of service application identifications and required identity information identifications is stored in a verification server, the verification server can determine the identity information identifications required by the first service according to the service application identifications of the first service, and then the identity information required by the first service is obtained from all identity information corresponding to first electronic identity data according to the identity information identifications required by the first service.

In a possible implementation manner, before the terminal sends the first message, the terminal performs signature calculation on the service data of the first service by using a private key of the electronic identity holder to generate the first electronic identity data; or the terminal acquires the first electronic identity data from the security device where the private key of the electronic identity holder is located, wherein the first electronic identity data is generated by the security device performing signature calculation on the service data of the first service by using the private key of the electronic identity holder. According to the embodiment, the signature calculation can be carried out on the service data only, and the signature calculation is not carried out on the first information, so that the method is compatible with the prior art.

In a possible implementation manner, before the terminal sends the first message, the terminal performs signature calculation on the service data of the first service and the first information by using a private key of the electronic identity holder to generate the first electronic identity data; or the terminal acquires the first electronic identity data from the security device where the private key of the electronic identity holder is located, wherein the first electronic identity data is generated by the security device performing signature calculation on the service data of the first service and the first information by using the private key of the electronic identity holder. According to the embodiment, the signature calculation is performed not only on the service data, but also on the first information, so that the safety is high.

In a possible implementation manner, before the terminal sends the first message, the terminal determines an identity information identifier required by the first service; the terminal may determine the identity information identifier required by the first service by any one of the following manners: the terminal determines the required identity information identifier according to a mapping table of pre-stored service application identifiers and the required identity information identifier; or, the terminal determines the required identity information identifier according to a user instruction; or, the terminal receives the required identity information identifier from a service server corresponding to the first service. According to the embodiment, the terminal can determine the required identity information identifier by adopting any one of the above modes, and the implementation mode is flexible.

In a possible implementation, before the terminal sends the first message, the method further includes: the terminal sends a third message to a service server corresponding to the first service, wherein the third message is used for requesting the service server to register the identity information customization service required by the first service to the verification server; and the terminal receives a fourth message from the service server, wherein the fourth message is used for informing that the identity information customizing service is successfully registered. According to the embodiment, the authentication server can respond to the requests of the terminal and the service server through the identity information customization service, so that the authentication server can only respond to legal requests.

In a possible implementation manner, after the terminal receives the fourth message from the service server, the method further includes: the terminal adds the service application identifier of the first service into a white list; and after responding to the request for triggering the first service, the terminal determines that the white list comprises the service application identifier of the first service. According to the embodiment, the terminal can prejudge and filter the service application, and does not send the first message to the service application which is not in the white list, so that the safety is improved to a certain extent, and unnecessary communication pressure brought by the verification request of illegal service applications is reduced.

In a second aspect, a method of obtaining identity information is provided. Receiving a fifth message by the verification server, wherein the fifth message comprises first electronic identity data and first information; the verification server verifies the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data; when the identity verification of the electronic identity holder passes, the verification server acquires identity information required by a first service from all identity information of the electronic identity holder according to the first information; the authentication server sends a sixth message, the sixth message including the required identity information.

According to the embodiment of the invention, the verification server can send the required identity information while authenticating the identity, the service requester is not required to provide plaintext information for the service provider, the leakage of key privacy data can be avoided, and the redundancy of unnecessary information is avoided.

In a possible embodiment, the authentication server receives the fifth message from the terminal; and the authentication server sends the sixth message to the terminal. According to the embodiment, the terminal directly requests the authentication server for identity authentication, and the communication path only passes through the terminal and the authentication server and does not pass through the service server, so that the communication flow can be simplified, and the time can be shortened.

In a possible implementation manner, the authentication server receives the fifth message from a service server corresponding to the first service; and the authentication server sends the sixth message to the service server. According to the embodiment, the terminal requests the authentication server for identity authentication through the service server, and the communication path not only passes through the terminal and the authentication server, but also passes through the service server, so that the service server can conveniently control the service, and the security is improved.

In a possible implementation, before the authentication server sends the sixth message, the authentication server receives the biometric information of the service requester of the first service from the terminal; and when the biological characteristic information of the service request party is consistent with the biological characteristic information of the electronic identity holding party, the verification server sends the sixth message. According to the embodiment, the verification server executes the comparison process, so that the verification server does not transmit the biological characteristic information of the electronic identity holder, and the security is improved.

In a possible implementation manner, the first electronic identity data is signature data generated by performing signature calculation on the business data of the first business by using a private key of the electronic identity holder; or the first electronic identity data is signature data generated by performing signature calculation on the service data of the first service and the first information by using a private key of the electronic identity holder; and the verification server verifies the signature data according to the public key of the electronic identity holder so as to verify the identity of the electronic identity holder. According to the embodiment, the signature calculation can be carried out only on the service data, and the signature calculation is not carried out on the first information, so that the method is compatible with the prior art; and not only can the signature calculation be carried out on the service data, but also the signature calculation can be carried out on the first information, so that the safety is high.

In a possible implementation manner, when the first information is a service application identifier for executing the first service and a service type identifier for the first service, the verification server determines a required identity information identifier corresponding to the first service according to a mapping table of pre-stored service applications and required identity information identifiers, and the verification server obtains the required identity information from all identity information of the electronic identity holder according to the required identity information identifier; or, when the first information is the required identity information identifier, the authentication server acquires the required identity information from all identity information of the electronic identity holder according to the required identity information identifier. According to the embodiment, the authentication server can determine the required identity information in any one of the above manners, and the implementation manner is flexible.

In a possible implementation, before the authentication server receives the fifth message, the method further includes: the authentication server receives a seventh message from a service server corresponding to the first service, wherein the seventh message comprises information of a service provider of the first service and an identity information customization indication; the verification server determines that the service provider is legal according to the information of the service provider of the first service, and customizes and indicates registration identity information customization service according to the identity information; and the verification server sends an eighth message to the service server, wherein the eighth message is used for informing that the service provider is legal and the identity information customization service is successfully registered. According to the embodiment, the authentication server can respond to the requests of the terminal and the service server through the identity information customization service, so that the authentication server can only respond to legal requests.

In a possible implementation, the seventh message further includes a service application identifier of the first service; after the verification server determines that the service provider is legal according to the information of the service provider of the first service, the verification server adds the service application identifier of the first service into a white list; after the verification server receives the fifth message, the verification server determines that the white list includes the service application identifier of the first service. According to the embodiment, the verification server can conveniently judge whether the service application of the first service is in the white list after receiving the fifth message, and the fifth message which is not in the white list can be directly ignored, so that unnecessary message analysis is avoided, and the resource overhead can be saved to a certain extent.

In a possible implementation manner, the seventh message further includes an identity information identifier required by the first service; the method further comprises the following steps: and storing the service application identifier and the required identity information identifier corresponding to the service application identifier in a mapping table. According to the embodiment, after receiving the fifth message, when the first information is the service application identifier for executing the first service and the service type identifier for the first service, the authentication server determines the required identity information identifier corresponding to the first service according to a mapping table of pre-stored service application identifiers and required identity information identifiers, and acquires the required identity information from all identity information of the electronic identity holder according to the required identity information identifier.

In a third aspect, a method of obtaining identity information is provided. A service server corresponding to a first service receives a ninth message from a terminal, wherein the ninth message comprises first electronic identity data, first information and first indication information, the first electronic identity data is used for a verification server to verify the identity of an electronic identity holder corresponding to the first electronic identity data, and when the identity verification of the electronic identity holder passes, the first information is used for the verification server to acquire identity information required for executing the first service from all identity information of the electronic identity holder; the service server sends the first electronic identity data and the first information to the verification server according to the first indication information; the service server receiving a tenth message from the authentication server, the tenth message including the required identity information or an identity information check result obtained based on the required identity information; and the service server sends the required identity information or the identity information check result to the terminal.

The first indication information may be sent as a separate parameter in the first message, or may be represented by attribute information of the first message itself, such as a tag value for indicating that the message is the first message.

In one example, unlike the previous embodiment, the first information is not included in the ninth message, the determination regarding the first information (e.g., the required identity information identification) is not performed by the terminal, and the terminal generates electronic identity data (e.g., a signature) using only the service data and then sends it to the service server. After receiving the signature, the service server determines the required identity information identifier according to the service requirement, attaches the determined required identity information identifier outside the signature, and then sends the required identity information identifier and the received signature to the verification server together for verification and feedback of the required identity information.

According to the embodiment of the invention, the terminal can acquire the required identity information while authenticating the identity, the service requester is not required to provide plaintext information for the service provider, the leakage of key privacy data can be avoided, and the redundancy of unnecessary information is avoided. And the terminal requests the authentication server for identity authentication through the service server, and the communication path not only passes through the terminal and the authentication server, but also passes through the service server, so that the service server can conveniently control the service, and the security is improved.

In a possible implementation manner, before the service server sends the required identity information or identity information check result to the terminal, the method further includes: the service server receives the biological characteristic information of the service requester of the first service from the terminal; the service server compares the biological characteristic information of the service request party with the biological characteristic information in the required identity information; and the service server sends the comparison result to the terminal. According to the embodiment, the terminal can acquire the required identity information while authenticating the identity, and can ensure the people-card unification (namely the electronic identity holder is consistent with the service requester). On one hand, the service requester is not required to provide plaintext information for the service provider, so that the leakage of key privacy data can be avoided, and the redundancy of unnecessary information is avoided; on the other hand, the electronic identity can be prevented from being stolen. And the service server executes the comparison process, so that the service server can control the service conveniently, and the safety is improved.

In a possible implementation, the first information is the required identity information identifier; or the first information is a service application identifier for executing the first service and a service type identifier for the first service. According to this embodiment, when the first information is the required identity information identifier, the authentication server may obtain the identity information required by the first service from all the identity information corresponding to the first electronic identity data according to the required identity information identifier; when the first information is a service application identifier for executing the first service and a service type identifier of the first service, the authentication server may determine not only to authenticate the identity of the corresponding electronic identity holder based on said first electronic identity data based on the service type identifier of said first service, and when the identity verification is passed, obtaining the identity information required by the first service from all the identity information corresponding to the first electronic identity data, the method comprises the steps that a mapping table of service application identifications and required identity information identifications is stored in a verification server, the verification server can determine the identity information identifications required by the first service according to the service application identifications of the first service, and then the identity information required by the first service is obtained from all identity information corresponding to first electronic identity data according to the identity information identifications required by the first service.

In a possible implementation, before the service server receives the ninth message from the terminal, the method further includes: the service server sends an eleventh message to the authentication server, where the eleventh message includes information of a service provider of the first service and an identity information customization instruction, or includes information of the service provider and the required identity information identifier; and the service server receives a twelfth message from the verification server, wherein the twelfth message is used for informing that the service provider is legal and the identity information customizing service is successfully registered. According to the embodiment, the authentication server can respond to the requests of the terminal and the service server through the identity information customization service, so that the authentication server can only respond to legal requests.

In a fourth aspect, an embodiment of the present invention provides a terminal, where the terminal may implement the function executed in the method design in the first aspect, where the function may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-described functions.

In one possible design, the structure of the terminal includes a processor configured to support the terminal to perform the corresponding functions in the method of the first aspect. The terminal may also include a memory, coupled to the processor, that retains program instructions and data necessary for the terminal. The terminal may also include a communication interface for sending or receiving information or the like.

In a fifth aspect, an embodiment of the present invention provides an authentication server, where the authentication server may implement the functions performed in the method design of the second aspect, where the functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-described functions.

In one possible design, the structure of the authentication server includes a processor configured to support the authentication server to perform the corresponding functions in the method of the second aspect. The authentication server may also include a memory for coupling with the processor that stores program instructions and data necessary for the authentication server. The authentication server may also include a communication interface for sending or receiving information or the like.

In a sixth aspect, an embodiment of the present invention provides a service server, where the service server may implement the function executed in the method design in the third aspect, where the function may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-described functions.

In one possible design, the service server includes a processor configured to support the service server to perform the corresponding functions in the method of the third aspect. The service server may also include a memory, coupled to the processor, that stores program instructions and data necessary for the service server. The service server may also include a communication interface for sending or receiving information or the like.

In a seventh aspect, an embodiment of the present invention provides a communication apparatus, which may be, for example, a chip, and which may be disposed in a terminal, where the communication apparatus includes a processor and an interface. The processor is configured to enable the communication device to perform the corresponding functions of the method of any of the first to third aspects. The interface is used to support communication between the communication device and other communication devices or other network elements. The communication device may also include a memory, coupled to the processor, that retains program instructions and data necessary for the communication device.

In an eighth aspect, an embodiment of the present invention provides a computer storage medium, which stores instructions that, when executed on a computer, cause the computer to perform the method according to any one of the first to third aspects.

In a ninth aspect, embodiments of the present invention provide a computer program or a computer program product, which contains instructions that, when the program is executed by a computer, cause the computer to perform the method of any one of the first to third aspects.

According to the embodiment of the invention, the terminal can acquire the required identity information while authenticating the identity, the service requester is not required to provide plaintext information for the service provider, the leakage of key privacy data can be avoided, and the redundancy of unnecessary information is reduced.

Drawings

Fig. 1 is a schematic diagram of a system architecture for performing identity authentication based on the eID technology in general;

fig. 2A is a flowchart of a method for acquiring identity information according to an embodiment of the present invention;

fig. 2B is a flowchart of another method for acquiring identity information according to an embodiment of the present invention;

fig. 2C is a flowchart of another method for acquiring identity information according to an embodiment of the present invention;

fig. 3 is a schematic diagram of a system architecture based on which the method for acquiring identity information according to the embodiment of the present invention is provided;

fig. 4 is a communication diagram of a method for acquiring identity information according to an embodiment of the present invention;

fig. 5 is a communication diagram of another method for acquiring identity information according to an embodiment of the present invention;

fig. 6 is a communication diagram of another method for acquiring identity information according to an embodiment of the present invention;

fig. 7 is a communication diagram of another method for acquiring identity information according to an embodiment of the present invention;

fig. 8 is a communication diagram of another method for acquiring identity information according to an embodiment of the present invention;

fig. 9 is a communication diagram of another method for acquiring identity information according to an embodiment of the present invention;

fig. 10 is a communication diagram of another method for acquiring identity information according to an embodiment of the present invention;

fig. 11 is a communication diagram of another method for acquiring identity information according to an embodiment of the present invention;

fig. 12 is a schematic structural diagram of a terminal according to an embodiment of the present invention;

fig. 13 is a schematic structural diagram of another terminal according to an embodiment of the present invention;

fig. 14 is a schematic structural diagram of a communication device according to an embodiment of the present invention;

fig. 15 is a schematic structural diagram of an authentication server according to an embodiment of the present invention;

fig. 16 is a schematic structural diagram of another authentication server according to an embodiment of the present invention;

fig. 17 is a schematic structural diagram of another communication device according to an embodiment of the present invention.

Detailed Description

When the terms "first", "second", etc. are referred to in the present application, they should be understood to serve only to distinguish one technical feature from another, unless the order is actually expressed in the context.

The embodiment of the invention provides a method for acquiring identity information, which is characterized in that after a service is triggered, partial identity information of a user corresponding to an electronic identity identifier is checked based on service requirements on the basis of identity authentication of a service requester by using the electronic identity identifier. And when the check result is yes, the terminal executes the service, otherwise, the service is not executed.

In the embodiment of the invention, whether the identity of the service requester is legal or not is verified, and whether partial identity information of the service requester meets the service requirement or not is also verified, so that on one hand, the leakage and redundancy of the identity information of the service requester are avoided, and on the other hand, the offline or other checking work of the service provider is reduced.

It will be appreciated that the service requestor may be authenticated using an electronic identity in any manner known in the art, such as by eID technology. The present application is not so limited.

The method for authenticating the service requester by using the electronic identity is briefly described below by taking the eID technology as an example.

The eID technology is a network electronic identity signed by a public network identity recognition system of the Ministry of public Security and signed to a citizen on the basis of a cryptographic technology by taking an intelligent security chip as a carrier, and can realize on-line remote identity recognition on the premise of not revealing identity information. It can also be defined as follows: the network electronic identity issued by the national governing department has one-to-one correspondence with the real identity of a person and is used for identifying the real identity of a citizen on line. Consists of a pair of asymmetric keys and a digital certificate containing its public key and related information.

The electronic identity mark is a string of codes used for replacing the plaintext identity information of citizens, corresponding plaintext identity information cannot be reversely deduced according to the codes, the string of codes adopts a digital certificate form and consists of a pair of asymmetric keys and a digital certificate containing a public key and related information of the asymmetric keys, the pair of keys can be generally generated in a security chip for storing the electronic identity mark, the public key can be exported to an issuing organization of the digital certificate (such as a certification center CA, a public security department can serve as the role), the private key is used when the issuing organization generates the digital certificate, the private key cannot be exported, and the method is mainly used when a signature is generated on service data in the later execution of service operation. The certificate described herein is composed of many fields, such as public key information (including the public key and an identifier of a corresponding public key algorithm) of the electronic identity holder (also referred to as an electronic identity holder), a signature of an issuer (generally obtained by performing signature calculation on the public key by using the own private key of the issuer), an issuer code, a serial number (uniquely indicating a number of the certificate), a code representing the holder of the electronic identity (e.g., an eID code, which is a character code obtained by performing calculation processing on actual plaintext identity information of a citizen according to a specific rule method), and the like.

Fig. 1 is a schematic diagram of a system architecture for performing identity authentication based on the eID technology. The system comprises:

the eID issuing mechanism 101 (also called an eID center) is connected with a public security department citizen network identity recognition system of a public security department population base and plays roles of eID issuing and management.

The eID registration issuing authority 102 plays roles in registration and issuing of eID carriers, can provide carriers for loading eIDs, and can be applied to become an eID registration issuing authority (such as a bank) by an authority with wide issuing channels and strict identity verification and surface signature programs.

The eID network identity service providing mechanism 103 is connected with the eID issuing mechanism 101, accesses a service mechanism of network application (namely online application), and bears eID network identity identification basic service and related security value-added service.

An online application 104, which refers to a ubiquitous network service, may access the eID network identity service provider 103 for applications that require eID network identity and security services.

The eID carrier 105, the intelligent security chip that meets the requirement of the eID high-strength security mechanism, may be used as a carrier for the eID to securely store the eID, for example, a financial IC card, a social security card, a mobile phone with a security chip, a wearable device, and other intelligent terminals.

In one example, each citizen can only choose to turn on the eID function on one eID carrier. When the eID carrier is replaced, only the eID on the original carrier is logged out, and the eID can be started on the new carrier.

In another example, each citizen may choose to turn on eID functionality on multiple eID vectors, with one eID vector as the primary eID vector and the other eID vectors as secondary eID vectors. The host eID carrier can be used alone for identity authentication of a service requester as a service. The secondary eID carrier can not be used independently, and the secondary eID carrier needs to be used for identity authentication of a service requester as a certain service together with another primary eID carrier.

In an example, taking the implementation of the eID function as an example, when a user decorrelation bank (i.e., the eID registration issuing authority 102) applies for implementing an eID card, a bank counter person may send identity information (i.e., name + identity number) submitted by the user to an eID center (i.e., the eID issuing authority 101), and then the eID center submits the identity information (e.g., identity number, head portrait, etc.) of the user to a public security population base for checking, so as to ensure the accuracy of the identity information, after the checking is passed, the eID center generates an eID certificate for the user, and then sends the eID certificate to a bank outlet, and finally the bank outlet writes the eID certificate to a bank card (i.e., the eID carrier 105) applied by the user.

It is understood that, since the eID technology relates to the private key and the public key of the electronic identity (which may also be referred to as the private key and the public key of the electronic identity holder, for example, an asymmetric key pair corresponding to the electronic identity of the public network defined in "information security technology — electronic identity format specification of the public network"), the system may further include a Certificate Authority (CA) for proving that the public key and other related information are associated with the trusted third party Authority of the owner. A Public Key (Public Key) is a Key that can be disclosed in an asymmetric Key pair used by an entity. A Public Key Certificate (Public Key Certificate) is Public Key information of an unforgeable entity signed by a CA. The authentication center may be set up separately or integrated into the eID network identity service provider 103 and is therefore not shown in figure 1.

The online application 104 may be installed in a terminal, which may be a user terminal (e.g., an electronic device such as a mobile phone or a tablet computer) or a Point of Sale (POS) terminal, and the terminal may be a device capable of receiving information of a bank card, having a communication function, and receiving an instruction from a teller to complete exchange of financial transaction information and related information.

The eID carrier 105 may be installed in a terminal, which may be a user terminal, that has communication capabilities. Optionally, the eID carrier 105 may also be a separate entity (e.g., called an eID card) outside the user terminal, such as a bank card with a security chip, and may communicate with the user terminal through a wireless connection technology such as NFC or Bluetooth, or may communicate with the user terminal through an interface technology such as Universal Serial Bus (USB) or audio.

In one example, online application 104 and eID carrier 105 are installed in the same terminal, and online application 104 and eID carrier 105 exchange information through an internal communication mechanism.

In another example, the online application 104 and the eID carrier 105 are installed in different terminals that exchange information via short-range wireless communication technology so that information can be exchanged, such as to conduct a transaction, securely and quickly. The short-range wireless Communication technology may include Near Field Communication (NFC) technology, bluetooth (Blue Tooth) technology, Wi-Fi technology, ZigBee technology, and the like, but the embodiment of the present invention is not limited thereto. The embodiment of the invention provides a solution by combining with eID verification service, so as to realize the selective acquisition of part of user identity information based on service, and judge whether to allow the service operation based on the acquired part of user identity information, thereby avoiding the need of providing plaintext identity information to a service provider manually or additionally by a user, and avoiding the leakage of key privacy data of the user and the redundancy of unnecessary information. In addition, certain information (such as biological characteristic information like a head portrait) in the part of user identity information can be compared with the information of the service requester collected by the terminal, so that the service requester and the electronic identity holder (such as an eID holder) are ensured to be really the same person, namely the real people-certificate-integration is realized.

In one example, it may be assumed that the electronic identity holder is the service requestor, i.e., it is assumed that the certificate unifies. And when the required identity information meets the requirement of executing the first service or the identity information check result is yes, the terminal executes the first service.

Fig. 2A is a flowchart of a method for obtaining identity information according to an embodiment of the present invention, where it is assumed that an electronic identity holder is a service requester, the method includes:

step 201, the terminal determines an identity information identifier required by the first service.

For example, the terminal determines the required identity information identifier according to a mapping table of pre-stored service application identifiers and the required identity information identifiers; or, the terminal determines the required identity information identifier according to a user instruction; or, the terminal receives the required identity information identifier from a service server corresponding to the first service.

Step 202, the terminal sends a request message, where the request message includes first electronic identity data and first information, the first electronic identity data is used for the authentication server to authenticate the identity of the electronic identity holder corresponding to the first electronic identity data, and when the identity authentication of the electronic identity holder passes, the first information is used for the authentication server to obtain required identity information from all identity information of the electronic identity holder.

In the embodiment of the present invention, the first information may be a required identity information identifier; and the verification server acquires the required identity information from all the identity information of the electronic identity holder according to the required identity information identifier. Or, the first information may be a service application identifier for executing the first service and a service type identifier of the first service; in this case, step 201 need not be performed. The verification server determines that the first service needs identity authentication service and obtains identity information needed by the service according to the service type identifier of the first service, determines an identity information identifier needed by the first service from a mapping table of a pre-configured service application identifier and the needed identity information identifier according to the service application identifier of the first service, and obtains the needed identity information from all identity information of an electronic identity holder according to the identity information identifier needed by the first service.

In one example, the mapping table may be configured when the authentication server registers the identity information customizing service required for the first service.

The first electronic identity data may be signature data generated by the terminal performing signature calculation on the service data of the first service by using a private key of the electronic identity holder; or the security device acquired by the terminal from the security device where the private key of the electronic identity holder is located uses the private key of the electronic identity holder to perform signature calculation on the service data of the first service to generate signature data.

It will be appreciated that the raw data of the signature calculation described above may include not only the business data but also the first information.

Step 203, the terminal receives a response message, where the response message includes the required identity information or an identity information check result obtained based on the required identity information.

The identity information check result is used for indicating whether the required identity information meets the service requirement, for example, when the identity information check result is yes, indicating that the required identity information meets the service requirement; and when the identity information check result is negative, the required identity information does not meet the service requirement.

The required identity information may be a single identity information (e.g., age), and the service requirement may be that the single identity information needs to satisfy a single checking condition. And when the single item of identity information meets the single item of checking condition, the identity information checking result is yes, and when the single item of identity information does not meet the single item of checking condition, the identity information checking result is no.

The required identity information can also be a plurality of items of identity information (such as age and gender), each item of identity information has a single item of check condition, the service requirement can be embodied that each item of identity information needs to meet the single item of check condition corresponding to the item of identity information, when each item of identity information meets the single item of check condition, the check result of the identity information is yes, and when at least one item of identity information does not meet the single item of check condition, the check result of the identity information is no. Or, the service requirement may be embodied as determining a comprehensive checking result according to whether each item of identity information satisfies a single item of checking condition corresponding to the item of identity information, where the comprehensive checking result needs to satisfy the comprehensive checking condition, and when each item of identity information satisfies the single item of checking condition, the checking result of the identity information is yes, and when at least one item of identity information does not satisfy the single item of checking condition, determining whether the comprehensive checking result satisfies the comprehensive checking condition, and if the comprehensive checking condition is satisfied, the checking result of the identity information is yes, and if the comprehensive checking condition is not satisfied, the checking result of the identity information is no.

In this embodiment of the present invention, the terminal may directly send a request message to the authentication server in step 202, and correspondingly, the terminal may receive a response message from the authentication server in step 203. Or, the terminal may send a request message to the service server in step 202, and indirectly send the request message to the authentication server through the service server, and accordingly, the terminal may receive a response message from the service server in step 203, where the response message is sent after the service server receives the response message from the authentication server.

Step 204, when the required identity information meets the requirement for executing the first service or the identity information check result is yes, the terminal executes the first service.

According to the embodiment of the invention, the terminal can acquire the required identity information while authenticating the identity, the service requester is not required to provide plaintext information for the service provider, the leakage of key privacy data can be avoided, and the redundancy of unnecessary information is avoided.

In another example, it may be assumed that the electronic identity holder is not necessarily the service requestor (e.g., the electronic identity holder's eID card is stolen), i.e., it is necessary to verify whether the identity card is a certificate. And when the required identity information meets the requirement of executing the first service or the identity information check result is yes and the verification result of the combination of the identity information and the identity card is yes, the terminal executes the first service. For example, the terminal acquires the biometric information of the service requester of the first service; and when the biological characteristic information of the service request party is consistent with the biological characteristic information of the electronic identity holding party, determining that the verification result of the combination of the person and the certificate is positive.

Fig. 2B is a flowchart of another method for obtaining identity information according to an embodiment of the present invention, where it is assumed that an electronic identity holder is not necessarily a service requester, the method includes:

step 211, the terminal determines the identity information identifier required by the first service.

Step 212, the terminal sends a request message, where the request message includes first electronic identity data and first information, the first electronic identity data is used for the authentication server to authenticate the identity of the electronic identity holder corresponding to the first electronic identity data, and when the identity authentication of the electronic identity holder passes, the first information is used for the authentication server to obtain the required identity information from all the identity information of the electronic identity holder.

In the embodiment of the present invention, the first information may be a required identity information identifier; and the verification server acquires the required identity information from all the identity information of the electronic identity holder according to the required identity information identifier. Or, the first information may be a service application identifier for executing the first service and a service type identifier of the first service; in this case, step 211 need not be performed. The verification server determines that the first service needs identity authentication service and obtains identity information needed by the service according to the service type identifier of the first service, determines an identity information identifier needed by the first service from a mapping table of a pre-configured service application identifier and the needed identity information identifier according to the service application identifier of the first service, and obtains the needed identity information from all identity information of an electronic identity holder according to the identity information identifier needed by the first service.

In step 213, the terminal receives a response message, where the response message includes the required identity information or an identity information check result obtained based on the required identity information.

In this embodiment of the present invention, the terminal may directly send a request message to the authentication server in step 212, and correspondingly, the terminal may receive a response message from the authentication server in step 213. Alternatively, the terminal may send the request message to the service server in step 212, and indirectly send the request message to the authentication server through the service server, and accordingly, the terminal may receive a response message from the service server in step 213, where the response message is sent after the service server receives the response message from the authentication server.

In step 214, the terminal obtains the biometric information of the service requester of the first service.

Step 215, when the required identity information meets the requirement of executing the first service or the identity information check result is yes and the biometric information of the service requester is consistent with the biometric information of the electronic identity holder, the terminal executes the first service.

It will be appreciated that the biometric information of the service requester may be compared by the terminal with the biometric information in the required identity information. Or, the terminal sends the biometric information of the service requester to a service server corresponding to the first service, where the biometric information of the service requester is used by the service server to compare the biometric information of the service requester with the biometric information in the required identity information; the terminal receives the result of the comparison from the service server. Or the terminal sends the biological characteristic information of the service request party to the verification server, wherein the biological characteristic information of the service request party is used for comparing the biological characteristic information of the service request party with the biological characteristic information in the required identity information by the verification server; the terminal receives the result of the comparison from the authentication server.

In the embodiment of the invention, the terminal can acquire the required identity information while authenticating the identity and ensure the people-card integration (namely the electronic identity holder is consistent with the service requester). On one hand, the service requester is not required to provide plaintext information for the service provider, so that the leakage of key privacy data can be avoided, and the redundancy of unnecessary information is avoided; on the other hand, the electronic identity can be prevented from being stolen.

Fig. 2C is a flowchart of another method for acquiring identity information according to an embodiment of the present invention, in which a terminal further performs identity information customization service registration before sending a first message, a registration process may be combined with fig. 2A or fig. 2B, and the embodiment is described by combining the registration process with fig. 2A as an example, and the method includes:

step 221, the terminal determines the identity information identifier required by the first service.

In step 222, the terminal sends a request message to a service server corresponding to the first service, where the request message is used to request the service server to register an identity information customization service required by the first service with the authentication server.

In one example, the request message may include a service application identifier of the first service. And after the verification server determines that the service provider is legal according to the information of the service provider of the first service, the verification server adds the service application identifier of the first service into a white list.

In another example, the request message may include a service application identifier of the first service and an identity information identifier required by the first service. After the authentication server registers the identity information customization service required by the first service, the authentication server can also store the service application identifier and the required identity information identifier corresponding to the service application identifier in a mapping table. .

Step 223, the terminal receives a response message from the service server, where the response message is used to notify the identity information customizing service that the registration is successful.

It is understood that step 223 may further include the following processes: the terminal adds the service application identifier of the first service into a white list; after the terminal responds to the request for triggering the first service, if the terminal determines that the white list includes the service application identifier of the first service, then step 224 is executed, otherwise, the subsequent steps are not executed.

Step 224, the terminal sends a request message, where the request message includes first electronic identity data and first information, the first electronic identity data is used for the authentication server to authenticate the identity of the electronic identity holder corresponding to the first electronic identity data, and when the identity authentication of the electronic identity holder passes, the first information is used for the authentication server to obtain the required identity information from all the identity information of the electronic identity holder.

In the embodiment of the present invention, the first information may be a required identity information identifier; and the verification server acquires the required identity information from all the identity information of the electronic identity holder according to the required identity information identifier. Or, the first information may be a service application identifier for executing the first service and a service type identifier of the first service; in this case, step 221 need not be performed. The verification server determines that the first service needs identity authentication service and obtains identity information needed by the service according to the service type identifier of the first service, determines an identity information identifier needed by the first service from a mapping table of a pre-configured service application identifier and the needed identity information identifier according to the service application identifier of the first service, and obtains the needed identity information from all identity information of an electronic identity holder according to the identity information identifier needed by the first service.

In one example, the first information is a service application identifier for executing the first service and a service type identifier of the first service, and a white list of legitimate service application identifiers is established in the authentication server. And after determining that the white list comprises the service application identifier of the first service, the verification server determines the identity information identifier required by the first service from a mapping table of pre-configured service application identifiers and required identity information identifiers according to the service application identifier of the first service, and acquires required identity information from all identity information of an electronic identity holder according to the identity information identifier required by the first service.

In step 225, the terminal receives a response message, where the response message includes the required identity information or an identity information check result obtained based on the required identity information.

Step 226, when the required identity information meets the requirement for executing the first service or the identity information check result is yes, the terminal executes the first service.

The embodiment of the invention can ensure that the processing flow for acquiring the required identity information can be initiated only if the verification server confirms that the service is legal.

Since the determination of the unification of the testimony and the testimony can be judged based on the identity information required for obtaining the service in fig. 2B, and the purpose of registering the identity information customizing service in fig. 2C is to obtain the identity information required for the service, embodiments of the present invention subsequently mainly introduce how to obtain the identity information required for the service, and introduce how to determine the unification of the testimony and how to register the identity information customizing service on the basis.

The method for acquiring the identity information provided by the embodiment of the invention is combined with the identity authentication technology. Identity authentication can be carried out by adopting an eID technology, and identity authentication can also be carried out by adopting other electronic identity authentication technologies, so that identity information required by the service can be acquired while identity authentication is carried out. Since the system architecture shown in fig. 1 is complex and is a system architecture for the eID technology, the system architecture shown in fig. 1 is abstracted into the system architecture shown in fig. 3 for the sake of generality.

Fig. 3 is a schematic diagram of a system architecture based on which the method for acquiring identity information provided by the embodiment of the present invention is based. The system comprises: a terminal 301, an authentication server 302 and a service server 303.

In one example, the terminal 301 may correspond to the terminal on which the line application 104 is located in fig. 1. Accordingly, in one example, the terminal 301 includes a business application and an electronic identity client (e.g., an eID client), where the business application may include the online application 104 shown in figure 1. In one particular example, the business application may be embodied in the form of a business APP for providing functionality of the online application. The electronic identity client may be embedded in the service application, or the service application and the electronic identity client are independent of each other, and the electronic identity client is invoked by the service application, and may be used to generate or obtain data representing the user identity, such as the first electronic identity data described in fig. 2A-2C. Taking an electronic identity client as an eID client as an example, the eID client is mainly used for reading and writing eID cards. The eID card can be an independent card, such as a bank card loaded with an eID function, and the eID card can generate the first electronic identity data for reading by the eID client, and the reading and writing of the eID card can be realized by a short-distance wireless communication technology, such as a Near Field Communication (NFC) technology. The NFC technology is a short-distance wireless connection technology based on Radio Frequency Identification (RFID), and realizes communication between electronic devices at a short distance by using magnetic field induction, so that a user can exchange information safely and quickly and perform a transaction, such as near-field payment, only by touching or approaching the electronic devices. NFC operates at a frequency of 13.56MHz with an effective communication range of 0-20cm, with a typical value of 4 cm.

Optionally, the eID card may also be integrated inside the terminal, and at this time, reading and writing the eID card may be implemented through a communication mechanism inside the terminal.

It should be noted that the electronic identity client may also be a client of another type other than the eID client, for example, the encrypted electronic identity may be directly read from a security chip (such as a secure element SE or a trusted execution environment TEE on a mobile phone) storing an electronic identity (which may be different from the eID, for example, a string of numbers representing the user identity) as first electronic identity data, and specifically, the electronic identity client may invoke a corresponding trusted application in the security chip to generate the first electronic identity data (which may not be signature data, for example, the stored electronic identity is encrypted by using a public key of the authentication server).

The terminal 301 may be an intelligent terminal such as a mobile phone and a PC (in an applicable scenario, when a user purchases an online or performs other online services on the mobile phone or the PC, certain specific identity information needs to be verified), or may be a dedicated terminal such as a POS (in an applicable scenario, when a physical store, a government worker, and the like, require to verify certain specific identity information of a citizen). The service includes service operations in scenes such as online shopping, specific order submitting operation or payment confirmation operation in online shopping, electronic voting, government affair activities such as hotel housing reservation, express delivery receiving and dispatching, traffic police inspection and the like, temporary use or lease of public facilities and the like.

The verification server 302 may correspond to the eID network identity service providing mechanism 103 in fig. 1 (or may also correspond to the eID network identity service providing mechanism 103 and the eID issuing mechanism 101), and is configured to verify electronic identity data (e.g., signature data obtained by performing signature calculation on service data using a private key of an electronic identity holder) provided by a terminal (e.g., correspondingly verify the signature data using a public key of the electronic identity holder), and provide identity information required by a service.

The service server 303 is arranged to execute one or more services in cooperation with a service application on the terminal 301. When the first communication path (i.e., communication path 1) is used, the service server 303 does not participate in the process of acquiring the identity information, and the communication path 1 is shown by a solid line in fig. 3; when the second communication path (i.e. communication path 2) is used, the service server 303 participates in the process of acquiring the identity information, and the communication path 2 is shown by a dotted line in fig. 3.

It is understood that, based on the system architecture shown in fig. 3, the communication path 1 or the communication path 2 may be adopted to implement the method for acquiring identity information provided by the embodiment of the present invention.

The first communication path (i.e. communication path 1) is a communication path that directly requests the authentication server 302 (e.g. the eID server) for identity authentication for the terminal 301 (e.g. the service APP passes through the eID client), and requests to acquire identity information or an identity information check result required by the service (e.g. the service APP requests the eID client to directly send the signature and other related information to the authentication server for processing after acquiring the signature). This communication path passes through the terminal 301 and the authentication server 302, and does not pass through the service server 303, that is, the terminal 301 directly sends a request to the authentication server 302.

The second communication path (i.e. communication path 2) is a communication path that requests the authentication server 302 (e.g. the eID server) to perform identity authentication for the terminal 301 (e.g. after the service APP obtains a signature through the eID client) through the service server 303, and requests to obtain identity information or a check result required by the service. The communication path passes through the terminal 301, the service server 303 and the authentication server 302, that is, the terminal 301 indirectly sends a request to the authentication server 302 through the service server 303.

In one example, to achieve the obtaining of the identity information, the terminal 301 may first determine an identity information identifier required by the first service; and then sending a request message to the verification server 302 or the service server 303, where the request message includes first electronic identity data and first information, the first electronic identity data is used for the verification server 302 to verify the identity of the electronic identity holder corresponding to the first electronic identity data, and when the identity verification of the electronic identity holder passes, the first information is used for the verification server 302 to obtain identity information required by the first service from all identity information of the electronic identity holder. Accordingly, the terminal 301 receives a response message including the required identity information or an identity information check result obtained based on the required identity information from the authentication server 302 or the service server 303.

It can be understood that, when the first communication path is adopted, the terminal 301 determines the identity information identifier required by the first service; the terminal 301 sends a request message to the authentication server 302, wherein the request message includes first electronic identity data and first information; the verification server 302 verifies the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data; when the identity authentication is passed, acquiring identity information required by the first service from all identity information corresponding to the first electronic identity data according to the first information; the authentication server 302 sends a response message including the required identity information or an identity information check result obtained based on the required identity information to the terminal 301. At this time, the service server 303 does not participate in the process of acquiring the identity information, and only executes a corresponding service processing process when the required identity information meets the service requirement subsequently, which is not described herein again.

When a second communication path is adopted, the terminal 301 sends a request message to a service server 303 corresponding to a first service, wherein the request message includes first electronic identity data, first information and indication information; the service server 303 sends the first electronic identity data and the first information to the authentication server 302 according to the indication information; the verification server 302 verifies the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data; when the identity authentication is passed, acquiring identity information required by the first service from all identity information corresponding to the first electronic identity data according to the first information; the authentication server 302 sends the required identity information or an identity information check result obtained based on the required identity information to the service server 303; the service server 303 sends a response message to the terminal 301, where the response message includes the required identity information or the identity information check result.

For the first communication path, in an example, the authentication server 302 may directly send the identity information required by the service to the terminal 301 according to a request of the terminal 301, and the terminal 301 checks whether the identity information required by the service meets the service requirement, when the identity information required by the service meets the service requirement, the terminal 301 executes the service, and when the identity information required by the service does not meet the service requirement, the terminal 301 does not execute the service.

For the first communication path, in another example, the authentication server 302 may directly send the identity information required by the service to the terminal 301 according to a request of the terminal 301, the terminal 301 sends the identity information required by the service to the service server 303, the service server 303 checks whether the identity information required by the service meets the service requirement, when the identity information required by the service meets the service requirement, the check result is yes, the service server 303 sends the check result to the terminal 301, so that the terminal 301 executes the service, and when the identity information required by the service does not meet the service requirement, the check result is no, the service server 303 sends the check result to the terminal 301, so that the terminal 301 does not execute the service.

For the first communication path, in another example, the authentication server 302 may check whether the identity information required by the service satisfies the service requirement according to a request of the terminal 301, when the identity information required by the service satisfies the service requirement, the check result is yes, the authentication server 302 sends the check result to the terminal 301 to enable the terminal 301 to execute the service, and when the identity information required by the service does not satisfy the service requirement, the check result is no, the authentication server 302 sends the check result to the terminal 301 to enable the terminal 301 to not execute the service.

The identity information required by the service may include basic identity information of an individual, such as the age, sex, marital, and the like of a citizen, and/or identity association information of the service requester and other users, such as a relationship of relatives, an agency relationship, and the like. It is understood that the identity information required by the service may be the entire content of the identity information (referred to as the entire identity information) or may be a partial content of the identity information (referred to as the partial identity information).

The partial identity information may refer to basic identity information of plain texts such as a photo, a name, an identification number, a birth date and the like, or may refer to basic identity information indicating states of being aged by X years, being valid in an electronic driving license, being not married and the like. The agent relationship may include agent relationships in various scenarios, such as loans, legal entrusts, etc., and typically, an agent (i.e., an electronic identity holder, such as an eID holder) presents its electronic identity (e.g., an eID card, or even later an eID card copy may appear, which may be understood to resemble a current copy of a second generation certificate) to an agent (i.e., a service requestor, which is also a current user of the eID card) for direct past use by the agent. At this time, the effective object of the business is the surrogated person and is not the agent.

The service requirement may be a requirement that when a service requester uses a certain service through the service APP, a service provider checks certain specific identity information of the service requester (i.e., identity information required by the service), for example, one or more items of information such as user photos, age, gender, nationality, marital status, validity period of electronic certificates, and the like, and even an association relationship between a plurality of users. For example, the age of a consumer needs to be specially checked when buying cigarettes and wines, the photo, name and even marital status of a traveler needs to be specially checked when the consumer stays in a store, the name, contact information and the like of a sender may need to be specially checked when receiving and sending express mails, the photo, the valid period of an electronic driving license and the like of a driver may need to be specially checked when a traffic police checks, and the sex of a user may need to be specially checked when using some public facilities (such as a changing room and the like).

It will be appreciated that the identity information required for the service may include one or more items of identity information, for example age and nationality, each item of identity information requiring verification. In the above example of checking the identity information required by the service through the service server or the authentication server, the server may feed back the check result (hereinafter referred to as a single check result) of each item of identity information to the terminal, so that the terminal can determine whether to allow the service to be executed according to all the single check results; or, the server may also determine a comprehensive check result according to the check result of each item of identity information, and feed back the comprehensive check result to the terminal, so that the terminal can determine whether to allow the service to be executed according to the comprehensive check result, for example, if all the individual check results are that the identity information required by the service is deemed to meet the service requirement, the comprehensive check result is yes, otherwise, the comprehensive check result is no, and if not, the comprehensive check result is undetermined, and feed back the identity information corresponding to the individual check result whose result is no. In the above example of checking the identity information required by the service through the terminal, the terminal may present the identity information required by the service to a service provider (e.g., a merchant) through a display screen or in other manners (e.g., voice, etc.), and the service provider manually checks the identity information, for example, after the service requirement is met through manual confirmation, the service is allowed to be executed through a certain manner (e.g., clicking a confirmation button, etc.), or the terminal may also check the identity information required by the service through the service APP by itself without manual intervention.

For the second communication path, in an example, the authentication server 302 may directly send the identity information required by the service to the service server 303 according to a request of the service server 303, and the service server 303 checks whether the identity information required by the service meets the service requirement, when the identity information required by the service meets the service requirement, the check result is yes, the service server 303 sends the check result to the terminal 301, so that the terminal 301 executes the service, and when the identity information required by the service does not meet the service requirement, the check result is no, and the service server 303 sends the check result to the terminal 301, so that the terminal 301 does not execute the service.

For the second communication path, in another example, the authentication server 302 may directly send the identity information required by the service to the service server 303 according to a request of the service server 303, the service server 303 then sends the identity information required by the service to the terminal 301, the terminal 301 checks whether the identity information required by the service meets the service requirement, when the identity information required by the service meets the service requirement, the check result is yes, the terminal 301 executes the service, and when the identity information required by the service does not meet the service requirement, the check result is no, and the terminal 301 does not execute the service.

For the second communication path, in another example, the authentication server 302 may check whether the identity information required by the service satisfies the service requirement according to a request of the service server 303, when the identity information required by the service satisfies the service requirement, the check result is yes, the authentication server 302 sends the check result to the service server 303, the service server 303 sends the check result to the terminal 301 again, so that the terminal 301 executes the service, and when the identity information required by the service does not satisfy the service requirement, the check result is no, the authentication server 302 sends the check result to the service server 303, and the service server 303 sends the check result to the terminal 301 again, so that the terminal 301 does not execute the service.

The specific content of the identity information required by the service is similar to that described in relation to the first communication path, and is not described herein again.

In one example, the identity information required for the service may include one or more items of identity information, such as age and nationality, each of which may need to be checked. In the above example of checking the identity information required by the service through the service server or the authentication server, the server may feed back the check result (hereinafter referred to as a single check result) of each item of identity information to the terminal, so that the terminal can determine whether to allow the service to be executed according to all the single check results; or, the server may also determine a comprehensive check result according to the check result of each item of identity information, and feed back the comprehensive check result to the terminal, so that the terminal can determine whether to allow the service to be executed according to the comprehensive check result, for example, if all the individual check results are that the identity information required by the service is deemed to meet the service requirement, the comprehensive check result is yes, otherwise, the comprehensive check result is no, and if not, the comprehensive check result is undetermined, and feed back the identity information corresponding to the individual check result whose result is no. In the above example of checking the identity information required by the service through the terminal, the terminal may present the identity information required by the service to a service provider (e.g., a merchant) through a display screen or in other manners (e.g., voice, etc.), and the service provider manually checks the identity information, for example, after the service requirement is met through manual confirmation, the service is allowed to be executed through a certain manner (e.g., clicking a confirmation button, etc.), or the terminal may also check the identity information required by the service through the service APP by itself without manual intervention.

The above-mentioned terminal executing the service may be understood as that, in the scenes of e.g. specific order submitting operation or payment confirmation operation in online shopping, electronic voting, hotel housing reservation, express delivery receiving, traffic police inspection and other government activities, temporary use of public facilities or renting, etc., if it is determined that the required identity information meets the service requirement according to the received identity information or identity information check result required by the service, the subsequent processes are continuously executed, such as successful order submission and subsequent payment operation, for example, room number is allocated to the service requester and mail or short message notification is sent after the hotel reservation is successful. In an example, the terminal does not execute the service, and may be understood as terminating the service process if it is determined that the identity information required by the service does not meet the service requirement according to the received identity information required by the service or the identity information check result, for example, prompting an order submission failure or a payment failure, prompting a failure reason, and the like.

The first communication path only passes through the terminal 301 and the authentication server 302, and particularly relates to communication between a service APP and an eID client in a terminal local area, and does not pass through the service server 303.

The second communication path described above passes through not only the terminal 301 and the authentication server 302 but also the service server 303, facilitating the control of the service by the service server 303. For example, a terminal side may call an eID client to obtain signature data (data obtained by performing signature calculation on business data by using an eID private key, where the business data is a business serial number and the like) according to the prior art by a business APP and report the signature data to a business server, and the business server side determines identity information required by the business, supplements the data reported by the terminal according to business requirements, and sends related information and the signature data reported by the terminal to a verification server together.

Fig. 4 is a communication diagram of a method for acquiring identity information according to an embodiment of the present invention. The method may be based on the system architecture shown in fig. 2, and a first communication path is adopted to obtain identity information or an identity information check result required by a service, and a terminal determines whether to execute the service according to the identity information or the identity information check result required by the service without an instruction of a service server, and the method includes:

step 401, the terminal determines an identity information identifier required by the first service.

In one example, the terminal determines a required identity information identifier corresponding to the first service according to a mapping table of pre-stored service application identifiers and required identity information identifiers; or, the terminal determines the required identity information identifier corresponding to the first service according to a user instruction; or, the terminal obtains the required identity information identifier corresponding to the first service from the service server corresponding to the first service.

It will be appreciated that the first service has the requirement to check for specific identity information, such as: checking one or more items of information such as user photos, ages, sexes, nationalities, marital states, validity periods of electronic certificates and the like, and even checking the association relationship among a plurality of users.

In implementation, the services may be classified into a category, such as a category a, a category B, and a category C … …, and the identity information required by the corresponding service is a combination of a category I, a category II, and a category III … …, so that the terminal may locally maintain a mapping table of such services and the identity information required by the services, and after a specific service of a service APP on the terminal is triggered, the type of the required identity information may be determined according to the type of the service. The mapping table may be implemented in various ways, for example, the mapping table includes at least one service application identifier and a corresponding required identity information identifier, or, the terminal includes at least one service application type and the corresponding required identity information identifier, at this time, the terminal can search the corresponding required identity information identifier according to the service application identifier or the service application type, the service application id is used to uniquely identify a service application, such as a package name (package name) of an application used in the android system of the mobile phone, the type of the business application is used for identifying the category to which the business application belongs, such as classifying the business application into payment-type applications (such as various shopping clients), reservation-type applications (such as clients of hotel reservation type, clients of air ticket reservation type, etc.), government-type applications (such as some kind of voting client, etc.), and the like; for another example, the mapping table includes at least one service identifier and a corresponding required identity information identifier, and at this time, the terminal may find the corresponding required identity information identifier according to the service identifier of the triggered service, where the service identifier is used to uniquely identify a service, such as a payment service, a subscription service, or other services that require verification of user-specific identity information included in a certain service application; for another example, the mapping table includes at least one service application identifier, a corresponding service identifier, and a required identity information identifier, at this time, the terminal may find the corresponding required identity information identifier according to the service application identifier and a service identifier (for example, a service type) of a triggered service, where the service application may correspond to one or more services, and identity information of a user to be verified for each service is different, for example, a first service of the services needs a type I identity information combination (such as age), and a second service needs a type II identity information combination (such as age and marital state). The above required identity information identifier may be an identifier of a single identity information or an identifier of a type of an identity information combination (including at least one item of identity information).

Optionally, the service server may maintain the mapping table on the server side, and after a specific service of the service APP on the terminal is triggered, the service server side may request to acquire the type of the required identity information corresponding to the service. Alternatively, the required identity information may be user-defined (e.g., the service provider manually selects or enters the required identity information). The identity information required for determining the first service may be an identity information identifier required for determining, on the service APP side or the service server side, based on a service operation triggered by a user (for example, when the user logs in a website, an eID login manner is selected, such as payment confirmation by the user, voting operation, and the like).

Step 402, the terminal sends a first message to a verification server, where the first message includes first electronic identity data and first information, the first electronic identity data is used for the verification server to verify the identity of an electronic identity holder corresponding to the first electronic identity data, and when the identity verification passes, the first information is used for the verification server to obtain identity information required by the first service from all identity information corresponding to the first electronic identity data.

In one example, the first information is the required identity information identifier; and the authentication server acquires the identity information required by the first service from all the identity information corresponding to the first electronic identity data according to the required identity information identifier.

In another example, the first information is a service application identifier for executing the first service and a service type identifier for the first service. In this example, step 401 need not be performed. The service type identifier of the first service is used for indicating that the authentication server needs to authenticate the identity of the corresponding electronic identity holder according to the first electronic identity data, and when the identity authentication is passed, the identity information required by the first service is acquired from all the identity information corresponding to the first electronic identity data. The method comprises the steps that a mapping table of service application identifications and required identity information identifications is stored in a verification server, the verification server can determine the identity information identifications required by the first service according to the service application identifications of the first service, and then the identity information required by the first service is obtained from all identity information corresponding to first electronic identity data according to the identity information identifications required by the first service.

In another example, the first information includes a service application identifier for executing the first service and a service identifier for the first service. This is particularly suitable for the case where a service application comprises a plurality of services requiring authentication of user identity information, for example a first service requiring identity combination 1, a second service requiring identity combination 2 … …. In such an example, the service identifier may also be carried in the first information at the same time. Correspondingly, the service application provides the service identifier when registering the electronic identity identifier eID service, the verification server side also establishes a mapping table of the service identifier and the identity information identifier required by the service, and can determine the identity information required by the first service by reading the mapping table by using the service identifier in the first information.

In one example, the terminal generates the first electronic identity data through a digital signature operation. For example, the terminal uses a private key corresponding to an electronic identity identifier eID (namely, a first electronic identity) of an electronic identity holder to perform signature calculation on the service data of the first service to generate the first electronic identity data; or the terminal acquires the first electronic identity data from the security device where the private key corresponding to the first electronic identity is located, wherein the first electronic identity data is generated by the security device performing signature calculation on the service data of the first service by using the private key corresponding to the first electronic identity. The signature operation described herein may use the prior art means (e.g., calculating a digest of the original data used for the signature, and then encrypting the digest with a private key), and will not be described in detail.

For another example, the terminal uses a private key corresponding to a first electronic identity to perform signature calculation on the service data of the first service and the first information to generate the first electronic identity data; or the terminal acquires the first electronic identity data from the security device where the private key corresponding to the first electronic identity is located, wherein the first electronic identity is generated by the security device performing signature calculation on the service data of the first service and the first information by using the private key corresponding to the first electronic identity.

It should be noted that, the first message sent by the terminal to the verification server may include, in addition to the first electronic identity data and the first information, the service data (which may be data provided by a service provider, such as an order number generated by a user when submitting a shopping list on a shopping client), because the service data may be the original data of the signature or a part of the original data, and the verification server needs to use complete original data of the signature when verifying the signature, the verification of the signature may use a prior art means (for example, a public key corresponding to the private key is used to decrypt the signature to obtain a digest, and then a digest is calculated for the original data of the signature, and finally, whether the two digests are the same or not is compared), and details are not repeated.

Step 403, the verification server verifies the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data.

The authentication process, i.e. how to verify the signature, is described here by taking the first electronic identity data as an example of a signature obtained by calculation. After verifying that the signature of an issuing organization in a first electronic identity eID public key certificate is legal according to the prior art, a verification server decrypts the signature data by using an eID public key to obtain an abstract (such as a hash value), then calculates the original data in a first message by using the same abstract algorithm to obtain an abstract, and finally compares whether the two abstracts are the same to determine whether the signature is legal or not, and if so, the electronic identity tag used by a service requester is considered to be consistent with an eID holder.

Step 404, when the identity authentication is passed, the authentication server obtains the identity information required by the first service from all the identity information corresponding to the first electronic identity data according to the first information.

In one example, the first information is a desired identity information identification. At this time, in step 404, the authentication server directly obtains the identity information required by the first service from all the identity information corresponding to the first electronic identity data according to the required identity information identifier.

In another example, the first information is a service application identifier for executing the first service and a service type identifier for the first service. In such a case, a mapping table of the service application identification and the required identity information identification is stored in the authentication server. In step 404, after determining that identity authentication needs to be completed for the first service and identity information needed by the first service needs to be provided at the same time based on the service type identifier of the first service in the first information, the verification server determines the identity information identifier needed by the first service according to the service application identifier of the first service in the first information, and then obtains the identity information needed by the first service from all identity information corresponding to the first electronic identity data according to the identity information identifier needed by the first service.

In another example, the first information includes a service application identifier for executing the first service, a service identifier for the first service, and a service type identifier for the first service. In such an example, the authentication server side would establish a mapping table of the service application identifier, the service identifier and the identity information identifier required by the service. In step 404, after determining that the identity authentication needs to be completed for the first service and the required identity information needs to be provided for the first service based on the service type identifier of the first service in the first information, the verification server determines the identity information identifier needed for the first service by reading the mapping table according to the service application identifier and the service identifier in the first information, and then obtains the identity information needed for the first service from all the identity information corresponding to the first electronic identity data according to the identity information identifier needed for the first service.

Step 405, the authentication server sends a second message to the terminal, where the second message includes the required identity information or an identity information check result obtained based on the required identity information.

In one example, the second message includes the required identity information. That is, the authentication server includes the identity information required for the first service, which is acquired in step 404, in the second message, and sends the second message to the terminal. Based on this example, the terminal may send the identity information required for the first service to the service server, the service server determines the identity information check result, and the service server sends the identity information check result to the terminal. According to the embodiment, on the basis of realizing the privacy protection and avoiding the information redundancy, whether to execute the service is determined according to the identity information check result sent by the service server, so that the controllability of the service can be ensured, and the service safety can be improved.

In another example, the second message includes an identity information check result. Namely, after acquiring the identity information required by the first service, the authentication server checks the identity information, and returns the identity information checking result to the terminal as the second message. For example, when a user purchases some special goods (such as tobacco and wine) through a service application, whether the user is adult (if the user is full of 18 years) needs to be determined, and when the user transacts some affairs for others through the service application (such as loan service for citizens by intermediary, social security service for children by parents, and the like), whether the association relationship between the user and others is legal needs to be determined.

Step 406, when the required identity information meets the requirement for executing the first service or the identity information check result is yes, the terminal executes the first service.

In one example, the second message returned by the authentication server includes the required identity information described above (e.g., the requestor is 19 years old). In this case, in step 406, the terminal checks the received required identity information, determines whether the required identity information satisfies a requirement for performing the first service (for example, the requirement that the requesting person is over 18 years old), and determines whether to allow the service operation.

In another example, the second message returned by the authentication server includes the identity information check result (e.g., whether the age is over 18 years old). In such a case, in step 406, the terminal determines whether to execute the current service operation directly according to the returned identity information check result. And when the checking result is yes, executing the first service.

Through the method of the embodiment shown in fig. 4, the terminal directly requests the authentication server for authentication, and only acquires the identity information required for service execution or directly acquires the identity information check result, so that the user does not need to provide plaintext identity information to the service provider, the leakage of user privacy data is avoided, and the redundancy of unnecessary information is avoided. The method of the above embodiment is executed through the first communication path, and only passes through the terminal 301 and the authentication server 302, and does not pass through the service server 303, so that the communication flow can be simplified, and the time can be shortened.

Fig. 5 is a communication diagram of another method for acquiring identity information according to an embodiment of the present invention. The method may be based on the system architecture shown in fig. 3, and adopt a second communication path to obtain identity information or an identity information check result required by a service, and the method includes:

step 501, the terminal determines an identity information identifier required by the first service.

The manner of executing this step may refer to the description of step 401 in fig. 4, and is not described again.

Step 502, a terminal sends a first message to a service server, where the first message includes first electronic identity data, first information and indication information, the first electronic identity data is used for a verification server to verify an identity of an electronic identity holder corresponding to the first electronic identity data, and when the identity verification passes, the first information is used for the verification server to obtain identity information required by the first service from all identity information corresponding to the first electronic identity data. Wherein the indication information is used to instruct the service server to send the first electronic identity data and the first information to the authentication server, and the indication information may be sent as a separate parameter in the first message, or may be represented by attribute information of the first message itself, such as a tag value used to represent that the message is the first message.

In one example, the first information may be similar to the first information in step 402 of fig. 4, and is not described herein again.

In one example, the terminal generates the first electronic identity data through digital signature calculation. For example, the terminal uses a private key corresponding to an electronic identity identifier eID (namely, a first electronic identity) of an electronic identity holder to perform signature calculation on the service data of the first service to generate the first electronic identity data; or the terminal acquires first electronic identity data from the security device where the private key corresponding to the first electronic identity is located, wherein the first electronic identity data is generated by the security device performing signature calculation on the service data of the first service by using the private key corresponding to the first electronic identity.

For another example, the terminal uses a private key corresponding to a first electronic identity to perform signature calculation on the service data of the first service and the first information to generate the first electronic identity data; or the terminal acquires the first electronic identity data from the security device where the private key corresponding to the first electronic identity is located, wherein the first electronic identity data is generated by the security device performing signature calculation on the service data of the first service and the first information by using the private key corresponding to the first electronic identity.

In one example, the first message sent by the terminal may include, in addition to the first electronic identity data and the first information described above, service data requesting the authentication server to verify the signature and provide the required identity information.

Step 503, the service server sends the first electronic identity data and the first information to the authentication server according to the indication information.

Step 504, the verification server verifies the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data.

The manner of executing this step may refer to the description of step 403 in fig. 4, and is not described herein again.

And 505, when the identity authentication is passed, the authentication server acquires the identity information required by the first service from all the identity information corresponding to the first electronic identity data according to the first information.

The manner of executing this step may refer to the description of step 404 in fig. 4, and is not described herein again.

Step 506, the authentication server sends a second message to the service server, where the second message includes the required identity information or the identity information check result obtained based on the required identity information.

In one example, the second message includes the required identity information. That is, the authentication server includes the identity information required for the first service acquired in step 505 in the second message, and sends the second message to the service server.

In another example, the second message includes an identity information check result. Namely, after acquiring the identity information required by the first service, the authentication server checks the identity information, and the identity information checking result is contained in the second message and returned to the service server.

Step 507, the service server sends the required identity information or identity information check result to the terminal.

In one example, the service server may directly transmit the required identity information or the identity information check result received in step 506 to the terminal.

In another example, when the service server receives the required identity information in step 506, the service server may check the required identity information and then send the result of checking the identity information to the terminal.

Step 508, when the required identity information meets the requirement of executing the first service or the identity information check result is yes, the terminal executes the first service.

This step may be performed as described with reference to step 406 of fig. 4.

Through the method of the embodiment shown in fig. 5, the terminal requests authentication from the authentication server through the service server, and only acquires the identity information required for service execution or directly acquires the identity information check result, so that the user does not need to provide plaintext identity information to the service provider, leakage of user privacy data is avoided, and redundancy of unnecessary information is avoided. The method of the above embodiment is executed through the second communication path, and not only passes through the terminal 301 and the authentication server 302, but also passes through the service server 303, so that the service server 303 can control the service conveniently, and the security is improved.

It should be noted that, different from the embodiment shown in fig. 5, the message sent by the terminal to the service server may also not carry the first information, but the service server receives the message and sends the first information and the first electronic identity data in the message to the verification server according to the indication information in the message, where the first electronic identity data is signature data obtained by performing signature calculation on the service data.

The embodiments described above with reference to fig. 4 and 5 can effectively verify the electronic identity used by the service requester, and obtain the identity information required for the service after the verification is passed, that is, the identity of the electronic identity holder can be verified while providing the identity information required for the service to the service provider. The operation of confirming the identity of the service requester by verifying the identity of the electronic identity holder, that is, determining that the first electronic identity data is successfully verified, that is, the identity of the electronic identity holder is legal, the service requester is considered to be the electronic identity holder, which is an ideal situation of performing verification based on the electronic identity of the service requester, but actually, the service requester and the electronic identity holder cannot be guaranteed to be consistent (that is, unified for both persons and cards), because the electronic identity identifier (such as an eID card) of the electronic identity holder may be stolen, for example, someone applies for services by using a legal and effective eID carrier of another person. In an off-line service, service providers (such as physical stores, hotels and the like) and eID users often interact in the same plane, so that partial identity information (such as photos, names, sexes and the like) returned by the eID authentication server can be checked manually to ensure the integrity of the testimonials. However, these operations are manually performed and cannot be automated. In online service, a service provider and a user often cannot interact in the same place, so that after the service provider (such as an online store and the like) receives part of identity information fed back by the eID verification server, absolute people and evidence integration cannot be realized. In other words, according to the conventional art, it is impossible to ensure real testimony unification in an automated manner.

Based on such consideration, on the basis of any embodiment shown in fig. 4 or fig. 5, further, in the embodiment of the present invention, the required identity information or a part of the identity information (e.g., biometric information such as a head portrait, and optionally other information capable of characterizing the identity of the user itself) in the required identity information may be locally collected at the terminal, and then the identity information collected at the terminal is compared with the required identity information provided by the authentication server (e.g., an eID server), so as to ensure that the service requester and the electronic identity holder (e.g., an eID holder) are indeed the same person, that is, a true identity-card combination is achieved

In one example, the identity information required for the service includes biometric information. Before the terminal executes the first service, the terminal acquires the biological characteristic information of a service requester of the first service; when the biological characteristic information of the service request party is consistent with the biological characteristic information of the required identity information (namely, the biological characteristic information of the electronic identity holding party), the terminal executes the first service.

The biometric information includes a variety of user characteristic information such as a photo of the avatar, a fingerprint, an iris, a voice print, and other biometric information that may be employed later. The terminal collects corresponding biometric information according to the type of biometric information in the required identity information, for example, a camera is used to collect a head portrait photo or an iris photo of the user, a fingerprint sensor is used to collect a fingerprint of the user, and a voice collecting device (such as a microphone) is used to collect a voice print of the user.

It will be appreciated that the biometric information of the service requestor may be compared with the biometric information in the required identity information by any of the terminal, the service server and the authentication server to determine whether the biometric information of the service requestor is consistent with the biometric information of the electronic identity holder.

For example, the terminal acquires the biometric information of the service requester, and the terminal acquires the identity information required by the service by using the method of the foregoing embodiment, and then the terminal compares the biometric information of the service requester with the biometric information in the required identity information to determine whether the biometric information of the service requester and the biometric information of the electronic identity holder are consistent. The terminal acquires the biological characteristic information of the service request party and the identity information required by the service, the sequence of the biological characteristic information and the identity information is not limited, and the terminal can acquire the biological characteristic information of the service request party firstly and then acquire the identity information required by the service; or, the terminal may also acquire the identity information required by the service first, and then acquire the biometric information of the service requester.

For another example, the terminal acquires the biometric information of the service requester, sends the biometric information of the service requester to the authentication server, the authentication server compares the biometric information of the service requester with the biometric information in the required identity information to determine whether the biometric information of the service requester is consistent with the biometric information of the electronic identity holder, and the authentication server sends the result of whether the biometric information is consistent to the terminal.

For another example, the terminal acquires the biometric information of the service requester, sends the biometric information of the service requester to the service server, and after the service server receives the required identity information from the authentication server or the terminal, the service server compares the biometric information of the service requester with the biometric information in the required identity information to determine whether the biometric information of the service requester is consistent with the biometric information of the electronic identity holder, and the service server sends the result of whether the biometric information is consistent to the terminal.

It should be noted that for some biometric information, such as a fingerprint, it may not be allowed to be transmitted out of a device (such as a mobile phone) according to local legal or policy requirements, and the terminal may need to process such collected biometric information and then send the processed biometric information to the server for comparison. For example, the terminal sends the hash value of the collected fingerprint data to the verification server, and the verification server may be a mechanism such as a police department that can extract and store the fingerprint information of a citizen, so the verification server side may compare the hash value of the received fingerprint data with the hash value of the stored fingerprint data of the citizen, and optionally, the data to be transmitted by the terminal may also relate to information for assisting the verification server to search for the corresponding fingerprint data of the citizen, such as a fingerprint template identifier, which is not limited herein.

For any of the above embodiments of fig. 4 or fig. 5, the service provider may also perform a registration operation of the service in advance before using the identity information customization service provided by the verification server (i.e., authenticating the identity of the electronic identity holder and providing the service provider with the identity information required by the service), and therefore, the embodiment of the present invention may further include a process flow of performing service registration for the service provider.

In one example, before the terminal sends the first message, the method further includes: the terminal sends a third message to a service server corresponding to the first service, wherein the third message is used for requesting the service server to register an identity information customization service required by the first service to a verification server; and the terminal receives a fourth message from the service server, wherein the fourth message is used for informing that the identity information customizing service is successfully registered. With the identity information customization service, the authentication server can establish a mapping table of services and their required identity information (such as the mapping table described above in step 402 of fig. 4) in response to requests from the terminal and the service server.

In another example, before the terminal transmits the first message, the method further comprises: the terminal sends a service registration request to the verification server, wherein the service registration request comprises information of a service provider of the first service and an identity information customization indication, or comprises information of the service provider and a required identity information identifier, or information of the service provider; the terminal receives a service registration response from the authentication server, the service registration response being used to notify that the service registration is successful. The information of the service provider may be electronic identity information of the service provider (e.g., signature data calculated based on its eID private key, or encrypted eID certificate information, etc.); the identity information customization indication is used for informing the verification server that the service which needs identity information is needed to be provided for the service, at this time, the required identity information identification is not carried in the server registration request, the verification server needs to maintain a mapping table of the service application identification and the required identity information identification in advance, or maintain a mapping table of the type of the service application and the required identity information, so that the verification server can determine which required identity information is provided for the service provider after the first message is received according to the requirement indication after the request is received, and optionally, if the verification server does not maintain the mapping table in advance, the required identity information can be provided for the service provider according to the required identity information identification in the received first message subsequently.

After the service registration is successful, the authentication server may authenticate the first electronic identity data sent by the service provider and provide the service provider with identity information required by the service after receiving a corresponding message (e.g., the first message in the embodiment shown in fig. 4). In addition, as described in the above embodiment, the authentication server may further perform a verification service for the required identity information, such as verifying whether the required identity information meets the service requirement for executing the first service, such as verifying whether the biometric information of the service requester is consistent with the biometric information of the electronic identity holder pre-stored locally.

In addition, the terminal can pre-filter the service through the white list means. In one example, after the terminal receives the fourth message from the service server, the method further includes: the terminal adds the service application identifier of the first service into a white list; and the terminal receives a request for triggering the first service and determines that the white list comprises a service application identifier of the first service. Therefore, the terminal can prejudge and filter the service application, and does not send the first message to the service application which is not in the white list, thereby reducing unnecessary communication pressure brought by the verification request of the illegal service application. Optionally, the verification server may also use a white list means, for example, after the service registration is completed, the verification server adds the service application identifier of the first service to the white list, so that the verification server determines whether the service application identifier of the first service is in the white list after receiving the first message, and the first message may be directly ignored if the service application identifier is not in the white list, thereby avoiding unnecessary message parsing and saving resource overhead to a certain extent.

The above describes the interaction process of the terminal, the authentication server and the service server for different communication paths in conjunction with the specific embodiments. As mentioned above, in an example, the terminal further includes a service application (called a service APP subsequently) and an eID client, where the eID client is used for reading and writing an eID card, and may be embedded in the service application, or may be called by the service application as an independent module. The following refines the terminal into a service application and an eID client, and further describes the embodiment of the present invention according to different communication paths.

Fig. 6 is a communication diagram of another method for acquiring identity information according to an embodiment of the present invention. It is to be understood that fig. 6 is a diagram illustrating the terminal as a business application and an eID client based on fig. 4, and further illustrates the operation flow inside the terminal. Referring to fig. 6, the method uses a first communication path, where the communication path is a service APP and requests an eID server through an eID client to perform identity authentication and obtain required identity information, where the identity information required by the service is part of identity information of a service requester, and the method includes:

step 601, the service APP determines the required identity information identifier according to the service requirement.

In one example, a service APP prestores a mapping table of a service and a required identity information identifier therein, and determines the required identity information identifier corresponding to the first service according to the mapping table; or, the service APP acquires the required identity information identifier corresponding to the first service from the corresponding service server. The specific examples of the service category and the category of the required identity information are as described above and will not be described in detail.

Step 602, the service APP sends a request containing the required identity information identifier to the eID client.

Step 603, the eID client acquires signature data, wherein the signature data is generated by performing signature calculation on the required identity information identifier and the service data by using a private key of the eID.

It can be understood that the signature data may be calculated in a security Chip storing related information such as a private key of the eID and a public key certificate, and the security Chip may be integrated on the terminal, for example, on a security Element (SE, Secure Element) of a terminal such as a mobile phone, a Trusted Execution Environment (TEE), or even a System on Chip (SoC), where the eID client may obtain the signature data generated by the security Chip through an existing security channel inside the terminal; or, the security chip may also be used as a separate security device, such as a bank card, a wearable device, and the like, and at this time, the eID client may read the signature data generated by the security chip through a connection technology such as NFC.

Step 604, the eID client sends a verification request to the eID server, where the verification request includes the signature data and the original data used to generate the signature.

It will be appreciated that the authentication request described herein may correspond to the first message in fig. 4, the signature data may correspond to the first electronic identity data in fig. 4, and the original data from which the signature was generated may include the first information in fig. 4 above.

Step 605, the eID server verifies the signature, and prepares corresponding identity information according to the required identity information identifier after the verification is successful.

In one example, the eID server first verifies the signature, confirming whether the signature is legitimate. If the identity information is legal, the eID server can acquire all identity information registered by the eID, and the required identity information is selected from all the identity information according to the required identity information identifier.

Step 606, the eID server sends the verification result to the eID client, which includes the required identity information.

It will be appreciated that the authentication results described herein may correspond to the second message in fig. 4.

Step 607, the eID client sends the verification result to the service APP, which includes the required identity information.

Step 608, the service APP checks whether the required identity information meets the service requirement.

Step 609, if the service APP determines that the required identity information meets the service requirement, the service operation is executed.

It should be noted that, the service APP executes the service operation, specifically, the service APP sends the service request to the service server, for example, in a scenario of generating an order in an online shopping, after confirming that the order is successfully submitted, the service APP continues to execute the following payment operation (i.e., sends a payment request), so as to allow the service requester to make a corresponding payment.

The above steps 602, 603, and 607 are the interaction between the service APP and the eID card through the eID client, and the eID card may sign the required identity information identifier as a part of the original data, or a separate parameter other than the signature.

Step 604 and step 606 mentioned above are the interaction between the service APP and the eID server through the eID client, and may use the required identity information identifier as a part of the original signature data in the verification request, or a parameter extended by the extension parameter field. Wherein, the Extension parameter field is defined by the standard 'YD/T3150 and 2016 network electronic identity identification eID verification service interface technical requirement'.

In this embodiment, the signature may be calculated by using the prior art, for example, the eID card may calculate a hash value of the original data (including the service data sent by the service APP, and possibly including the required identity information identifier), and encrypt the hash value by using a private key stored in the eID card. And the eID server decrypts the signature by using the public key of the eID card after receiving the signature and the original data thereof to obtain a hash value, calculates the hash value by using the original data, and then compares the two hash values to verify whether the signature is valid. In addition, when the eID client sends the signature and the original data thereof to the eID server through the verification request, encryption can be performed again, for example, the public key of the eID server is used for encrypting the data, and the eID server receives the data and then decrypts the data by using the private key of the eID server; optionally, the session key (symmetric key) negotiated by the eID client and the eID server in the session may be used for encryption and decryption.

The required identity information identifier may represent one or more items of plain text information such as a photo, a name, an identification number, a birth date, a sex, a nationality, an address and the like, or may represent one or more items of single checking conditions (i.e., state information) such as whether the year is old by X, whether the year is married, whether the country of the X citizen is valid, whether the license is valid and the like. The specific implementation mode is as follows: each bit in a plurality of bytes is used to represent an item of identity information (such as table one or table two), optionally, a byte may also be used, and the like, which is not limited in this application.

Table one: a table of correspondence of bits to an identity information identifier for obtaining plaintext information

As can be seen from table one, each bit is used to indicate the identity of an item of identity information, for example, bit 8 of byte 1 is used to indicate a photograph, bit 7 of byte 1 is used to indicate a name, bit 6 of byte 1 is used to indicate an age, bit 5 of byte 1 is used to indicate a gender, bit 4 of byte 1 is used to indicate a nationality, bit 3 of byte 1 is used to indicate an address, bit 2 of byte 1 is used to indicate a native place, and bit 1 of byte 1 is used to indicate a marital status.

Table two: a table of correspondence between the bits and an identification of the identity information for obtaining the status information

As can be seen from table two, each bit is used to indicate the identity of an item of identity information, for example, bit 8 of byte 1 is used to indicate a photograph, bit 7 of byte 1 is used to indicate a name, bit 6 of byte 1 is used to indicate if it is full of X, bit 5 of byte 1 is used to indicate if it is male/female, bit 4 of byte 1 is used to indicate if it is a chinese citizen, bit 3 of byte 1 is used to indicate an address, bit 2 of byte 1 is used to indicate if it is born at X, and bit 1 of byte 1 is used to indicate if it is marred/not marred.

Correspondingly, in steps 605 and 606, the identity information returned by the eID Server may be the plaintext information or the state information to protect the privacy of the user.

In an example, after receiving the required identity information provided by the eID server through the eID client, the service APP may send the identity information and the service request to the service server together, so that the service server checks whether the identity information meets the service requirement and determines whether to allow the service operation to be executed, or may send the identity information to the service server first, so that the service server checks whether the identity information meets the service requirement, and then determines whether to send the service request to the service server according to the check result of the service server. The service requests for online shopping operations such as shopping cart addition or payment confirmation, website login operations, voting operations, and the like.

The service server checks the identity information, mainly in the form of the identity information returned by the eID server, which may be plaintext, such as information about age X, sex male/female, marital status, or non-plaintext status information, such as whether the age X is old, whether the sex is not married, or the result of the eID server checking the identity information, that is: yes or no (e.g., request the eID server to determine if the eID holder is older than X years, etc.); optionally, an eID holder photo (which may be used to check the current user of the eID card) may be added.

Fig. 7 is a communication schematic diagram of another method for acquiring identity information according to an embodiment of the present invention, referring to fig. 7, the method employs a first communication path, where the communication path requests an eID server for a service APP through an eID client to perform identity authentication and acquire required identity information, and the identity information required for the service includes association relation identity information of multiple users, where the multiple users may be, but are not limited to, two users. It can be understood that fig. 7 is based on fig. 4, and the terminal is further refined into a service application and an eID client, and the identity information required by the service is refined into association relation information including multiple users, further illustrating the operation flow inside the terminal. In this embodiment, two users are taken as an example for explanation, and the method includes:

step 701, the service APP determines the required identity information identifier according to the service requirement.

The identification of identity information required as described above includes associations of a plurality of users (e.g., a first user and a second user) and respective avatar, name, age information.

Step 702, the service APP sends a request containing the required identity information identifier to the eID client.

Step 703, the eID client obtains a first signature and a second signature, where the first signature is signature data generated by performing signature calculation on the required identity information identifier and the service data by using a private key corresponding to the first user, and the second signature is signature data generated by performing signature calculation on the required identity information identifier and the service data by using a private key corresponding to the second user.

It can be understood that if the security chip of the terminal stores the eID information, the eID client directly reads the first signature and the second signature from the security chip of the terminal; if no security chip in the terminal stores the eID information, the eID client needs to read the first signature and the second signature from an eID carrier (namely, an independent device containing the security chip). The eID information comprises a private key of the electronic identity, the security chip performs signature calculation on the required identity information identifier and the service data by using the private key of the electronic identity to generate a signature, and specifically, for eID information of a first user, a first security chip storing the eID information uses a private key of the eID to sign and calculate required identity information identification and business data to generate a first signature, for eID information of a second user, a second security chip storing the eID information uses a private key of the eID to sign and calculate the required identity information identifier and the service data to generate a second signature, wherein the first security chip and the second security chip can be the same physical chip when integrated on the terminal, the internal storage and operation are isolated and do not interfere with each other, and the first security chip and the second security chip can be two independent devices when the two security chips are independent devices.

Step 704, the eID client sends a verification request to the eID server, where the verification request is used to request identity verification of the first signature and the second signature.

It is understood that the verification request, the first or second signature, and the original data for generating the first or second signature are similar to the verification request, the signature data, and the original data for generating the signature in step 604 in fig. 6, respectively, and are not described again.

Step 705, the eID server verifies the signature and prepares the corresponding identity information according to the required identity information identifier.

Specifically, the eID server performs signature verification operation on the first signature and the second signature respectively, and after the signature verification is successful, the eID server determines that one item of identity information required to be provided is association relationship information of the first user and the second user according to the required identity information identifier. Because the association information may be stored in the eID server side or a database accessible by the eID server, for example, all identity information corresponding to the first user includes association information between the first user and another user (e.g., a second user or another user), and all identity information corresponding to the second user also includes association information between the second user and another user (e.g., the first user or another user).

Step 706, the eID server sends the verification result to the eID client, which includes the required identity information.

Step 707, the eID client sends the verification result to the service APP, where the verification result includes the required identity information.

It is understood that the verification result described herein is similar to the verification result in step 606 in fig. 6, and is not described in detail.

Step 708, the service APP checks whether the required identity information meets the service requirement.

Step 709, when the identity information needed by the service APP check meets the service requirement, sending a service operation request to the service server.

The embodiment shown in fig. 7 is different from the embodiment shown in fig. 6 in that the terminal determines that the required identity information identifier represents an association relationship between multiple users, and therefore, the eID client obtains eID signatures of the multiple users, and obtains association relationship information of the multiple users from the eID server to check whether the association relationship information meets a service requirement.

In the embodiment shown in fig. 7, the required id information may represent the relationship information between multiple users, such as whether the relationship is a couple/parent/child/sibling, or even a classmate, a proxy relationship, etc. Optionally, the association relationship information between multiple users and at least one plaintext information/status information of each user may also be characterized.

The embodiment is suitable for checking the identity relationship of the users by the service provider when a plurality of users transact a certain service together, such as reserving a room, or checking the identity relationship of the user of the agent and the user of the agent by the service provider when one user transacts a certain service for other users, such as a parent transacting medical insurance for children.

In this embodiment, as shown in the flow of fig. 7, a terminal user (for example, a service provider may be used for offline service, and an online service may be a service requester (an eID card user)) may sequentially bring a plurality of eID cards close to a terminal (for example, close to an NFC sensing area) to interact according to a prompt after triggering service operation, or may manually select an option "verify association relationships of a plurality of users" when triggering service operation, and then sequentially bring a plurality of eID cards close to a terminal to interact according to a prompt. And the service provider sends the signature data generated by each eID card to a server for verification. In implementation, in order to prevent the plaintext identity information of the proxied service requester from being excessively acquired by the service provider, the eID server may authorize the service request only by checking the association relationship between users, and at the same time, limit the provision of specific identity information of each user (it may be understood that the eID server only feeds back the information of the association relationship between users to the service provider, and does not provide the plaintext identity information of each user). Optionally, this embodiment does not exclude the case of using an eID card, for example, when a parent transacts some services to a child, only the eID card of the child needs to be used, when the terminal of the service provider provides an authentication request to the eID server, it indicates that the relationship of parent/child, etc. needs to be authenticated, and after the eID server successfully authenticates, the eID server may feed back the association relationship information and the picture of the parent/parent for the service provider to check; for another example, when an intermediary agent handles some services for a user, the intermediary agent uses its own eID card, and at this time, information representing the identity of the user (such as an eID certificate number, a name, and the like of the user) needs to be simultaneously submitted to the authentication server, so that the authentication server determines, through the information representing the identity of the user, which user the intermediary agent is associated with.

In one example, if the implementation allows self-modification of the identity association information, for example, the user temporarily adds or modifies some association information through a modification service provided by an authentication server (e.g., an eID server), the method can be applied to various intermediate proxy services, such as loan, user passing, attorney delegation, and the like.

Fig. 8 is a communication diagram of another method for acquiring identity information according to an embodiment of the present invention, which may be an extension and refinement of the method shown in fig. 4 or fig. 6, and further illustrates interaction between the terminal and the eID authentication server before sending out the authentication request (e.g., the first message). Referring to fig. 8, the method adopts a first communication path, and extends based on the standard "YD/T3150-:

step 801, the terminal sends a service request to the eID server.

The service request is used to declare that an eID authentication service provided using an eID server is to be requested.

It should be noted that, the service APP on the terminal needs to register the eID authentication service with the eID server in advance.

In an example, when a service APP on a terminal registers an eID Server with an eID Server for an eID authentication service, a service type required by the service APP is determined, that is, part of identity information that a corresponding service needs to be fixedly acquired in each authentication, after the eID Server verifies that the service APP is legal, a service application identifier, that is, APP _ id, is allocated to the service APP, and a service type corresponding to the service application identifier and required fixed identity information are recorded.

Step 802, the eID server sends a challenge value to the terminal.

The challenge value may be a random number generated by the eID server, so that the terminal can use the challenge value when generating a signature (specifically, the terminal generates a signature through an eID card), thereby improving the security of the service and preventing replay attack to a certain extent.

And step 803, the terminal completes eID signature operation and constructs request data.

The signature operation may include signing the original data (such as the service data, or the service data and the first information) by using a private key of the eID, and a challenge value returned by the eID server may be used in this process.

The generation of the signature may refer to the description of the previous embodiments.

Step 804, the terminal sends a verification request to the eID server, wherein the verification request comprises a signature and first information.

In an example, during the verification service registration phase, the service App registers a required service type with the eIDserver, in this example, the service type is used to indicate a service requesting to use identity authentication and requesting to provide partial identity information, and in addition to this service type used in the embodiment of the present invention, the service type may include other types, such as: account binding, account retrieval, secure login, real name authentication and the like. At this time, the eID server may store the service application identifier (i.e. the app-id described above, which is used to indicate the service application to which the service requesting the identity authentication belongs), the service type, and the required identity information identifier in the form of a mapping table. In such a case, the first information may not contain the required identity information identification, but include a service application identification and a service type identification.

In another example, the first information includes a desired identity information identifier, which may be carried by an extension parameter field defined by the above-mentioned standard. In this case, optionally, the service APP may register an existing eID authentication service (e.g., real-name authentication) with the eID Server in the authentication service registration stage without extending the service type defined by the above standard.

The signature, i.e. the signature generated by the operation in step 803, may be the original data of the service data, but does not exclude other ways, such as identifying the required identity information and/or the service type as part of the original data. In one example, the original data is also included in the authentication request and transmitted.

Step 805, the eID server verifies the signature and prepares the required identity information according to the first information.

In one example, the eID server first verifies the signature, which may be as described in the previous embodiment. After the authentication is passed, the eID server can prepare the required identity information according to the first information in the authentication request.

In one example, the first information includes a required identity information identifier, and the eID server may select the required identity information from all identity information corresponding to the eID data.

In an example, the first information includes a service application identifier and a service type, and then the eID server may determine an identity information identifier required by the service from the mapping table according to the service application identifier and the service type, and obtain required identity information from all identity information corresponding to the eID data according to the required identity information identifier.

Step 806, the eID server sends the verification result to the terminal.

The verification result comprises an authentication result of passing the identity authentication, required identity information and the like.

In step 807, the terminal determines whether the required identity information meets the service requirement to determine whether to allow the service operation.

The embodiment utilizes the existing identity authentication process to obtain partial identity information of the user, has small improvement on the existing process, is simple to realize and has small network overhead.

For the foregoing embodiment, in consideration of protecting user privacy, the scheme may be extended in the service APP registration eID verification service stage, specifically as follows:

the method comprises the steps that a service APP requests an identity information customization service to be opened from an eID client after the eID client proves the validity of the service APP (for example, eID login, eID age check/electronic driving license validity period and other information, eID authorized payment and other eID services are registered in a certain service APP), so that the eID client adds a service APP identifier into a white list of the service APP;

when the service APP uses the eID to verify the service, after the eID client receives the request of the service APP, it checks whether the service APP is in the white list, if so, step 803 is executed to sign the service data in the request.

Fig. 9 is a communication schematic diagram of another method for acquiring identity information according to an embodiment of the present invention, and it can be understood that fig. 9 refines the terminal into a service application (also referred to as a service APP) and an eID client based on fig. 5, and further illustrates an operation flow inside the terminal. Referring to fig. 9, the method uses a second communication path, where the communication path is to obtain a signature by the service APP through the eID client and then request the eID server through the service server to perform identity authentication and obtain required identity information. Thus, the method of fig. 9 illustrates an embodiment employing another communication path (i.e., communication path 2) as compared to the method of fig. 6. As shown in fig. 9, the method of this embodiment includes:

step 901, the service APP determines the required identity information identifier according to the service requirement.

Implementation can refer to the description of step 601 in fig. 6.

Step 902, the service APP sends a request containing the required identity information identifier to the eID client.

Step 903, the eID client acquires the signature data.

The signature is generated by performing signature calculation on the required identity information identifier and the service data by using a private key of the eID.

It can be understood that the signature data may be calculated in a security Chip storing related information such as a private key of the eID and a public key certificate, and the security Chip may be integrated on the terminal, for example, on a Security Element (SE), a Trusted Execution Environment (TEE), or even a System on Chip (SoC) of a terminal such as a mobile phone, and at this time, the eID client may obtain the signature data generated by the security Chip through an existing security channel inside the terminal; or, the security chip may also be used as a separate security device, such as a bank card, a wearable device, and the like, and at this time, the eID client may read the signature data generated by the security chip through a connection technology such as NFC.

And step 904, the eID client sends the signature to the service APP.

Step 9051, the service APP sends a verification request to the service server, where the verification request includes a signature and original data for generating the signature, and is used to request authentication of the signature.

Step 9052, the service server sends a verification request to the eID server, where the verification request includes a signature and original data, and is used to request verification of the signature.

It will be appreciated that the information carried in the authentication request described herein may be the same as the information carried in the first message, the signature data may be the first electronic identity data, and the original data from which the signature was generated may be the first information.

Step 906, the eID server verifies the signature, and prepares corresponding identity information according to the required identity information mark after the verification is successful.

Step 9071, the eID server sends the verification result to the service server, where the verification result includes the required identity information.

Step 9072, the service server sends the verification result to the service APP, where the verification result includes the required identity information.

It will be appreciated that the authentication results described herein may be carried in the aforementioned second message.

Step 908, the service APP checks whether the required identity information meets the service requirements.

Step 909, when the identity information required by the service APP check meets the service requirement, a service operation request is sent to the service server.

In this embodiment, after determining the required identity information identifier, the terminal obtains the required identity information via a path that the service APP obtains a signature via the eID client, and directly sends the signature to the service server, so that the service server requests the eID server to verify and provide the required identity information.

The step 902-904 is the interaction between the service APP and the eID card through the eID client, and the eID card may sign the required identity information identifier as a part of the original data, or as a separate parameter outside the signature.

The step 9051 and 9072 are interactions between the service APP and the eID server through the service server, and may use the required identity information identifier as a part of the original signature data in the verification request, or as a parameter through extension. Wherein, the Extension parameter field is defined by the standard 'YD/T3150 and 2016 network electronic identity identification eID verification service interface technical requirement'.

The identity information identifier is the same as that in the first communication path, and is not described herein again.

It should be noted that, in the above steps 907 and 908, that is, the service server forwards the required identity information to the service APP and the service APP checks the information, which is optional, at this time, after receiving the required identity information provided by the eID server, the service server may directly check whether it meets the service requirement, and then send the check result to the service APP, or directly execute the service operation.

In one example, unlike the previous embodiment, the determination of the required identity information identification is not performed by the service APP, that is, steps 901 and 903 in fig. 9 are not performed, and in step 903, a signature is generated using only service data and then sent to the service server. After receiving the signature, the service Server determines the required identity information identifier according to the service requirement, attaches the determined required identity information identifier outside the signature, and then sends the signature and the received signature to the eID Server for signature verification and feedback of the required identity information.

With regard to the generation of the signature, the required identity information may not be identified as part of the original data, but may be sent directly to the server together with the signature.

Fig. 10 is a communication schematic diagram of another method for acquiring identity information according to an embodiment of the present invention, referring to fig. 10, the method does not limit an adopted communication path, a terminal may acquire required identity information by using a first communication path or may acquire required identity information by using a second communication path, after the terminal acquires the required identity information, it is required to check whether the required identity information meets a service requirement or not, and also to acquire identity information (for example, locally acquired identity information) input by a user, and compare the identity information input by the user with the required identity information to determine whether the identity information is integrated by people and certificates, and the method includes:

step 1001, the service server and/or the service APP determines the required identity information identifier according to the service requirement.

The identity information identifier required to be determined according to the service requirement may be determined by a service operation triggered by a user (for example, when the user logs in a website, an eID login manner is selected, such as payment confirmation by the user, voting operation, and the like) on the service APP side or the service server side.

Step 1002, the service APP collects the required identity information or a part thereof.

Such as an avatar photograph.

Step 1003, the service APP obtains the required identity information from the eID server.

The obtaining manner is described in the foregoing embodiment, and the embodiment of the present invention may obtain the required identity information in any one manner shown in fig. 4 to fig. 9, which is not described herein again.

Step 1004, the service APP compares the acquired identity information with the required identity information provided by the eID server, and judges whether "people and evidence are integrated".

It should be noted that, the service APP may also send the acquired identity information to the service server, and the service server compares the acquired identity information with the required identity information provided by the eID server to determine whether to integrate the people and the certificate.

Fig. 11 is a communication schematic diagram of another method for acquiring identity information according to an embodiment of the present invention, and referring to fig. 11, a terminal in the method may acquire required identity information by using a first communication path, and check whether the required identity information meets a service requirement and is consistent with acquired identity information by using a service APP or a service server, where the method includes:

step 1101, the service server and/or the service APP determines the required identity information identifier according to the service requirement.

Step 1102, the service APP collects the required identity information or a part thereof.

Such as an avatar photograph.

Step 1103, the service APP sends the acquired identity information to the service server.

In step 1104a, the service APP sends a request containing the required identity information identifier to the eID client.

And step 1104b, the eID client acquires signature data, wherein the signature data is generated by performing signature calculation on the required identity information identifier and the service data by using a private key of the eID. And the eID client sends a verification request to the eID server, wherein the verification request comprises the signature data and the original data for generating the signature.

And step 1104c, the eID server verifies the signature, and prepares corresponding identity information according to the required identity information identifier after the verification is successful. And the eID server sends a verification result to the eID client, wherein the verification result comprises the required identity information.

And step 1104d, the eID client sends a verification result to the service APP, wherein the verification result comprises the required identity information.

It is understood that steps 1104a-d are the process of obtaining the required identity information from the eID server by the service APP.

Step 1105, the service APP sends the verification result to the service server, where the verification result includes the required identity information.

In step 1106, the service server checks whether the required identity information meets the service requirement and whether the required identity information is consistent with the collected identity information.

In addition to the embodiments described in fig. 10 and fig. 11, the embodiments of the present invention do not exclude other implementation manners, for example, checking, at the service APP side, whether the required identity information meets the service requirement, and checking, at the service server side, whether the acquired required identity information is consistent with the identity information acquired by the terminal, or vice versa; for another example, the service APP places the identity information acquired by the terminal in an extension parameter of the authentication request and sends the identity information to the eID server for auxiliary authentication, and then, in one mode, the eID server informs the auxiliary authentication result, and the service APP determines whether to allow the service operation to be executed according to the auxiliary authentication result and a check result of the required identity information; in another mode, the eID server determines whether to provide the terminal with the required identity information according to the auxiliary verification result.

In one example, the identity information collected may be biometric information of the current user, since it is here the current user of the eID card that is to be checked against the holder (the citizen the card truly represents) being the same person, and the terminal may collect an avatar or other biometric information of the current user. For example, if the avatar is collected, picture matching may be performed locally after receiving the photograph of the eID holder provided by the eID server, or the picture may be sent to the server and picture matching may be performed on the server side. For another example, if a fingerprint is collected, since the law may not allow the fingerprint information to be transmitted to the terminal, the hash value of the collected fingerprint may be encrypted (encrypted using the public key of the eID server) and transmitted to the eID server, and the eID server decrypts the hash value of the fingerprint (decrypted using the private key of the eID server) (because the public security department eID server side may store biometric information such as the fingerprint of a citizen).

It can be understood that in the schemes shown in fig. 4 to 9 above, the identity information required by the eld server for providing services according to various service requirements is to facilitate the service provider to check partial identity information of the user, but a scheme designed based on an ideal case that "identity authentication unification" (i.e., the eld current user is consistent with the eld holder, but only the eld current user is the eld holder) is not really ensured.

In offline services, typically, service providers (e.g., physical stores, hotels, etc.) and eID users tend to interact on the spot, so that end users (e.g., government officers such as merchants or traffic police) may manually check part of identity information (e.g., photos, names, genders, etc.) fed back by the eID server to ensure integrity, for example: and manually comparing whether the holder photo returned by the eID server is the same as the current user, and inquiring the current user to check whether the holder photo is the same as the current user after receiving the information such as the name, the age and the like returned by the eID. However, these methods require manual implementation and cannot be automated. For this scenario, the embodiments shown in fig. 10 and 11 enable the terminal to automatically check whether the testimony unifies.

In online service, a service provider and a user often cannot interact in place, and therefore, the service provider (e.g., an online store and the like) receives part of identity information (e.g., a photo, a name, a gender and the like) fed back by an eID server, and absolute people-certificate integration cannot be achieved. For this scenario, the embodiments shown in fig. 10 and 11 can also implement that the terminal automatically checks whether the people and the certificates are unified.

In short, the embodiment is applicable to online and offline services, and for offline services, the terminal user does not need to manually check the identity information provided by the eID server, and the terminal can automatically execute the check logic.

The embodiment of the invention not only can meet the checking requirements of different services on different identity information, but also avoids data redundancy and privacy disclosure (namely, the minimization of privacy information in identity authentication) possibly caused by providing comprehensive and same identity information in each service operation, and ensures the integration of human evidence (namely, the eID current user is consistent with the eID holder) to a greater extent.

In addition, it should be noted that, in the foregoing embodiment, the first electronic identity data is, for example, calculated signature data, and optionally, may also be implemented in other manners, for example, the first electronic identity data is an electronic identity (such as a string of serial numbers or codes that can uniquely identify a user) issued by an electronic identity service provider (such as an authentication service provider) for a user and stored in a security chip, or encrypted data obtained by encrypting the electronic identity (such as encrypting the electronic identity with a public key or a symmetric key of an authentication server so as to facilitate a corresponding decryption process performed by the authentication server), and the authentication server may directly find all identity information of the user corresponding to the electronic identity after receiving the electronic identity, so as to determine identity information required by a service from all the identity information according to the first information received at the same time and feed back the identity information to the service And (4) providing the provider.

The above description mainly introduces the scheme of the embodiment of the present invention from the perspective of the method flow. It is to be understood that each network element, such as a terminal, etc., for implementing the above functions, includes corresponding hardware structures and/or software modules for performing the respective functions. Those of skill in the art will readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In the embodiment of the present invention, the terminal and the like may be divided into functional modules according to the above method examples, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, the division of the modules in the embodiment of the present invention is schematic, and is only a logic function division, and there may be another division manner in actual implementation.

In the case of integrated modules, fig. 12 shows a possible structural diagram of the terminal involved in the above-described embodiment. The terminal 1200 includes: a processing module 1202 and a communication module 1203. Processing module 1202 is configured to control and manage actions of the terminal, e.g., processing module 1202 is configured to support the terminal to perform the processes of fig. 2A, 2B, 2C, and 4-11, and/or other processes for the techniques described herein. The communication module 1203 is configured to support communication between the terminal and other network entities, for example, an authentication server or a service server. The terminal may also include a storage module 1201 for storing program codes and data for the terminal.

As shown in fig. 12, the terminal includes a storage module 1201, a processing module 1202, a communication module 1203, an input module 1204, an output module 1205, a peripheral module 1206, and the like.

Based on the structure of the terminal shown in figure 12,

a communication module 1203, configured to send a first message, where the first message includes first electronic identity data and first information, where the first electronic identity data is used by a verification server to verify an identity of an electronic identity holder corresponding to the first electronic identity data, and when the identity of the electronic identity holder passes verification, the first information is used by the verification server to obtain, from all identity information of the electronic identity holder, identity information required by a first service; receiving a second message, wherein the second message comprises the required identity information or an identity information check result obtained based on the required identity information.

In an example, after the communication module 1203 receives the second message, the processing module 1202 is configured to execute the first service when the required identity information meets the requirement for executing the first service or the identity information check result is yes.

In one example, the communication module 1203 transmits a first message, including: sending the first message to a service server corresponding to the first service, wherein the first message further comprises indication information, and the indication information is used for indicating the service server to send the first electronic identity data and the first information to the verification server;

the communication module 1203 receiving the second message includes: receiving the second message from the service server.

In one example, the terminal further includes:

an obtaining module (i.e., the input module 1204) configured to obtain biometric information of a service requester of the first service;

the processing module 1202 is configured to execute the first service when the biometric information of the service requester is consistent with the biometric information of the electronic identity holder.

In an example, before the processing module 1202 executes the first service, the communication module 1203 is further configured to send biometric information of the service requester to a service server corresponding to the first service, where the biometric information of the service requester is used for the service server to compare the biometric information of the service requester with biometric information in the required identity information; receiving a result of the comparison from the traffic server.

In one example, the first information is the required identity information identifier; or, the first information is a service application identifier for executing the first service and a service type identifier for the first service.

In one example, before the communication module 1203 sends the first message, the processing module 1202 is configured to perform a signature computation on the service data of the first service by using a private key of the electronic identity holder to generate the first electronic identity data; or, the communication module 1203 is further configured to obtain the first electronic identity data from a security device where the private key of the electronic identity holder is located, where the first electronic identity data is generated by the security device performing signature calculation on the service data of the first service by using the private key of the electronic identity holder.

In one example, before the communication module 1203 sends a first message, the processing module 1202 is configured to perform a signature calculation on the first information and the service data of the first service by using a private key of the electronic identity holder to generate the first electronic identity data; or, the communication module 1203 is further configured to obtain the first electronic identity data from a security device where the private key of the electronic identity holder is located, where the first electronic identity data is generated by the security device performing signature calculation on the service data of the first service and the first information by using the private key of the electronic identity holder.

In an example, the processing module 1202 is further configured to determine an identity information identifier required by the first service;

the processing module 1202 is configured to determine an identity information identifier required by the first service, including:

determining the required identity information identifier according to a mapping table of pre-stored service application identifiers and the required identity information identifiers;

or, determining the required identity information identifier according to a user instruction;

or, the required identity information identifier is received from the service server corresponding to the first service through the communication module 1203.

In an example, before the communication module 1203 sends the first message, the communication module 1203 is further configured to send a third message to a service server corresponding to the first service, where the third message is used to request the service server to register, to the authentication server, an identity information customization service required by the first service; and receiving a fourth message from the service server, wherein the fourth message is used for informing that the identity information customizing service is successfully registered.

In an example, after the communication module 1203 receives the fourth message from the service server, the processing module 1202 is further configured to add the service application identifier of the first service to a white list; and after responding to the request for triggering the first service, determining that the white list comprises the service application identifier of the first service.

In this embodiment of the present invention, the first message sent by the communication module 1203 includes not only the first electronic identity data, but also the first information, so that on one hand, the authentication server can authenticate the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data, and on the other hand, when the identity authentication of the electronic identity holder passes, the authentication server can obtain the required identity information from all the identity information of the electronic identity holder according to the first information, and the communication module 1203 receives the second message, where the second message includes the required identity information or the identity information verification result. Therefore, the terminal can acquire the required identity information while authenticating the identity, the service requester is not required to provide plaintext information to the service provider, the leakage of key privacy data can be avoided, and the redundancy of unnecessary information is avoided.

The processing module 1202 may be a processor or a controller, among others. The communication module 1203 may be a communication interface, a transceiver circuit, etc., wherein the communication interface is a generic term and may include one or more interfaces. The storage module 1201 may be a memory.

Fig. 13 is a schematic structural diagram of a terminal according to an embodiment of the present application, taking a mobile terminal as a mobile phone as an example, and fig. 13 is a block diagram of a partial structure of a mobile phone 1300 according to an embodiment of the present invention. Referring to fig. 13, a handset 1300 includes: radio Frequency (RF) circuitry 1310, memory 1320, input unit 1330, display 1340, sensor 1350, audio circuitry 1360, WiFi (wireless fidelity) module 1370, processor 1380, and power supply 1390. Those skilled in the art will appreciate that the handset configuration shown in fig. 13 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.

The various components of cell phone 1300 are described in detail below with reference to fig. 13:

RF circuit 1310 may be used for receiving and transmitting signals during a message transmission or call, and in particular, for processing received downlink information of a base station by processor 1380; in addition, the data for designing uplink is transmitted to the base station. Typically, the RF circuitry includes, but is not limited to, an antenna, at least one Amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, RF circuit 1310 may also communicate with networks and other devices via wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to Global System for Mobile Communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA) System, Wideband Code Division Multiple Access (WCDMA) System, Long Term Evolution (LTE) System, email, Short Message Service (SMS), and the like.

In the embodiment of the invention, the terminal relates to the RF circuit 1310 when interacting with the eID card through the eID client, and possible modes such as NFC communication and the like are not excluded; the terminal's interaction with the various servers also involves the RF circuitry 1310, such as through a baseband module.

The memory 1320 may be used to store software programs and modules, and the processor 1380 executes various functional applications and data processing of the mobile phone 1300 by executing the software programs and modules stored in the memory 1320. The memory 1320 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone 1300, and the like. In addition, the Memory 1320 may include a volatile Memory, such as a Nonvolatile dynamic Random Access Memory (NVRAM), a Phase Change Random Access Memory (PRAM), a Magnetoresistive Random Access Memory (MRAM), and the like; the Memory 1320 may further include a nonvolatile Memory such as at least one magnetic Disk storage device, an Electrically Erasable Programmable Read-Only Memory (EEPROM), a flash Memory device such as a NOR flash Memory (NOR flash Memory) or a NAND flash Memory (NAND flash Memory), a semiconductor device such as a Solid State Disk (SSD), and the like. The memory 620 may also comprise a combination of the above types of memory.

In an embodiment of the present invention, the service APP registering eID service phase may involve storing data, such as storing a white list and storing a mapping table, and the data may be stored in the memory 1320.

The input unit 1330 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the cellular phone 1300. Specifically, the input unit 1330 may include a touch panel 1331 and other input devices 1332. Touch panel 1331, also referred to as a touch screen, can collect touch operations by a user (e.g., operations by a user on or near touch panel 1331 using any suitable object or accessory such as a finger, a stylus, etc.) and drive the corresponding connection device according to a preset program. Alternatively, the touch panel 1331 may include two portions of a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, and sends the touch point coordinates to the processor 1380, where the touch controller can receive and execute commands sent by the processor 1380. In addition, the input unit 1330 may implement the touch panel 1331 in various types, such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. The input unit 1330 may include other input devices 1332 in addition to the touch panel 1331. In particular, other input devices 1332 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.

Display 1340 may be used to display information entered by or provided to the user as well as various menus for cell phone 1300. The Display screen 1340 may include a Display panel 1341, and optionally, the Display panel 1341 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like. Further, touch panel 1331 can overlay display panel 1341, and when touch panel 1331 detects a touch operation on or near touch panel 1331, processor 1380 can be configured to determine the type of touch event, and processor 1380 can then provide a corresponding visual output on display panel 1341 based on the type of touch event. Although in fig. 13, the touch panel 1331 and the display panel 1341 are two separate components to implement the input and output functions of the mobile phone 1300, in some embodiments, the touch panel 1331 and the display panel 1341 may be integrated to implement the input and output functions of the mobile phone 1300. The display screen 1340 may be used to display content including user interfaces, such as a terminal's power-on interface, and application's user interface. The content may include information and data in addition to the user interface. The display 640 may be a built-in screen of the terminal or other external display device.

In an embodiment of the invention, the touch panel employed by the input unit 1330 can also be used as a display panel of the display 1340. For example, when the touch panel detects a gesture operation of touch or proximity thereto, the gesture operation is transmitted to the processor 1380 to determine the type of touch event, and then the processor 1380 provides a corresponding visual output on the display panel according to the type of touch event. Although the input unit 1330 and the display 1340 are shown as two separate components in fig. 13 to implement the input and output functions of the terminal, in some embodiments, a touch panel may be integrated with a display panel to implement the input and output functions of the terminal.

The cell phone 1300 may also include at least one sensor 1350, such as light sensors, motion sensors, position sensors, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may obtain the brightness of the ambient light, and adjust the brightness of the display panel 1341 according to the brightness of the ambient light, and the proximity sensor may turn off the display panel 1341 and/or the backlight when the mobile phone 1300 moves to the ear. The motion sensor comprises an acceleration sensor, the acceleration sensor can detect the magnitude of acceleration in all directions (generally three axes), can detect the magnitude and direction of gravity when the motion sensor is static, and can be used for applications of recognizing the gesture of the mobile phone (such as horizontal and vertical screen switching, related games and magnetometer gesture calibration), vibration recognition related functions (such as pedometers and knocking) and the like. The position sensor may be configured to acquire a geographical position coordinate of the terminal, and the geographical position coordinate may be acquired by a Global Positioning System (GPS), a COMPASS System (COMPASS System), a GLONASS System (GLONASS System), a GALILEO System (GALILEO System), or the like. The position sensor can also carry out positioning through a base station of a mobile operation network and local area networks such as Wi-Fi or Bluetooth, or comprehensively use the positioning mode, so that more accurate mobile phone position information is obtained. As for the other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured on the mobile phone 1300, further description is omitted here.

Audio circuitry 1360, speaker 1361, and microphone 1362 (also known as microphones) can provide an audio interface between a user and the cell phone 1300. The audio circuit 1360 may transmit the electrical signal converted from the received audio data to the speaker 1361, and the electrical signal is converted into a sound signal by the speaker 1361 and output; on the other hand, the microphone 1362 converts the collected sound signal into an electric signal, which is received by the audio circuit 1360 and converted into audio data, and then the audio data is processed by the audio data output processor 1380, and then transmitted to, for example, another cellular phone via the RF circuit 1310, or the audio data is output to the memory 1320 for further processing.

WiFi belongs to short distance wireless transmission technology, and the mobile phone 1300 can help the user send and receive e-mail, browse web page and access streaming media, etc. through the WiFi module 1370, which provides wireless broadband internet access for the user. Although fig. 13 shows the WiFi module 1370, it is understood that it does not belong to the essential constitution of the cellular phone 1300 and can be omitted entirely as needed within the scope not changing the essence of the invention.

The processor 1380 is a control center of the mobile phone 1300, connects various parts of the entire mobile phone using various interfaces and lines, and performs various functions of the mobile phone 1300 and processes data by operating or executing software programs and/or modules stored in the memory 1320 and calling data stored in the memory 1320, thereby integrally monitoring the mobile phone. The processor 1380 may be a Central Processing Unit (CPU), a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic, hardware components, or any combination thereof. The processor 1380 may implement or execute the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. Processor 1380 may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others. Optionally, processor 1380 may include one or more processor units. Optionally, processor 1380 may further integrate an application processor, which primarily handles operating systems, user interfaces, application programs, etc., and a modem processor, which primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated within processor 1380.

In this embodiment of the present invention, processor 1380 may be configured to perform actions of the business APP and the eID client, for details, see the method embodiments described above.

The handset 1300 also includes a power supply 1390 (e.g., a battery) to supply power to the various components, which may preferably be logically connected to the processor 1380 via a power management system to manage charging, discharging, and power consumption management functions via the power management system.

It should be noted that, although not shown, the mobile phone 1300 may further include a camera, a bluetooth module, and the like, which are not described herein.

In the embodiment of the present invention, it is,

the memory 1320, for storing program instructions;

the processor 1380 is configured to perform the following operations in accordance with program instructions stored in the memory 1320:

sending a first message through the communication interface 1310, where the first message includes first electronic identity data and first information, the first electronic identity data is used for a verification server to verify an identity of an electronic identity holder corresponding to the first electronic identity data, and when the identity verification of the electronic identity holder passes, the first information is used for the verification server to obtain identity information required by a first service from all identity information of the electronic identity holder;

receiving a second message through the communication interface 1310, the second message including the required identity information or an identity information check result obtained based on the required identity information.

In one example, after the processor 1380 performs the operations of receiving the second message via the communication interface 1310, the processor 1380 is further configured to perform the following operations in accordance with program instructions stored in the memory 1320:

and when the required identity information meets the requirement of executing the first service or the identity information check result is yes, executing the first service.

In one example, the processor 1380 performs the operations of sending a first message over the communication interface 1310, including:

sending the first message to a service server corresponding to the first service through the communication interface 1310, where the first message further includes indication information, and the indication information is used to indicate the service server to send the first electronic identity data and the first information to the verification server;

the processor 1380 performing the operations of receiving the second message via the communication interface 1310 includes:

the second message is received from the service server through the communication interface 1310.

In one example, the processor 1380 is further configured to perform the following operations in accordance with program instructions stored in the memory 1320:

obtaining biological characteristic information of a service request party of the first service;

and when the biological characteristic information of the service request party is consistent with the biological characteristic information of the electronic identity holding party, executing the first service.

In one example, prior to the processor 1380 executing the first service, the processor 1380 is further configured to perform the following in accordance with program instructions stored in the memory 1320:

sending the biometric information of the service requester to a service server corresponding to the first service through the communication interface 1310, where the biometric information of the service requester is used for the service server to compare the biometric information of the service requester with the biometric information in the required identity information;

the results of the comparison are received from the traffic server through the communication interface 1310.

In one example, before the processor 1380 performs the operation of sending the first message over the communication interface 1310, the processor 1380 is further configured to perform the following operations in accordance with program instructions stored in the memory 1320:

using a private key of the electronic identity holder to perform signature calculation on the business data of the first business to generate first electronic identity data; or, the first electronic identity data is obtained from the security device where the private key of the electronic identity holder is located through the communication interface 1310, where the first electronic identity data is generated by the security device performing signature calculation on the service data of the first service by using the private key of the electronic identity holder.

In one example, before the processor 1380 executes the sending of the first message over the communication interface 1310, the processor 1380 is further configured to perform the following in accordance with program instructions stored in the memory 1320:

using a private key of the electronic identity holder to perform signature calculation on the service data of the first service and the first information to generate first electronic identity data; or, the first electronic identity data is obtained from the security device where the private key of the electronic identity holder is located through the communication interface 1310, where the first electronic identity data is generated by the security device performing signature calculation on the service data of the first service and the first information by using the private key of the electronic identity holder.

In one example, the processor 1380 is further configured to perform the following operations in accordance with program instructions stored in the memory 1320: determining an identity information identifier required by a first service;

the processor 1380 performs the operations of determining the identity information required for the first service, including:

or, receiving the required identity information identifier from the service server corresponding to the first service through the communication interface.

sending a third message to a service server corresponding to the first service through the communication interface 1310, where the third message is used to request the service server to register an identity information customization service required by the first service with the authentication server;

receiving a fourth message from the service server through the communication interface 1310, the fourth message being used to notify the identity information customizing service that the registration is successful.

In one example, after the processor 1380 performs the operation of receiving the fourth message from the business server via the communication interface 1310, the processor 1380 is further configured to perform the following operations in accordance with program instructions stored in the memory:

adding the service application identifier of the first service into a white list;

and after responding to the request for triggering the first service, determining that the white list comprises the service application identifier of the first service.

In the embodiment of the present invention, the first message sent through the communication interface 1310 includes not only the first electronic identity data, but also the first information, so that on one hand, the authentication server can authenticate the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data, and on the other hand, when the identity authentication of the electronic identity holder passes, the authentication server can obtain the required identity information from all the identity information of the electronic identity holder according to the first information, and receive the second message through the communication interface 1310, where the second message includes the required identity information or the identity information verification result. Therefore, the terminal can acquire the required identity information while authenticating the identity, the service requester is not required to provide plaintext information to the service provider, the leakage of key privacy data can be avoided, and the redundancy of unnecessary information is avoided.

Fig. 14 is a schematic diagram of a communication device according to an embodiment of the present application, and as shown in fig. 14, the communication device 1400 may be a chip, where the chip includes a processing unit and a communication unit. The processing unit may be a processor 1410, which may be of the various types described previously. The communication unit may be, for example, an input/output interface 1420, a pin or a circuit, etc., which may include or be connected to a system bus. Optionally, the communication device further includes a storage unit, which may be a memory 1430 inside the chip, such as a register, a cache, a Random Access Memory (RAM), an EEPROM, or a FLASH; the memory unit may also be a memory located outside the chip, which may be of the various types described hereinbefore. A processor is coupled to the memory, and the processor can execute the instructions stored in the memory to cause the communication device to perform the functions of the terminal in the methods illustrated in fig. 2A, 2B, 2C, and 4-11.

In the case of integrated modules, fig. 15 shows a schematic diagram of a possible structure of the authentication server involved in the above-described embodiment. The authentication server 1500 includes: a processing module 1502 and a communication module 1503. The processing module 1502 is used for controlling and managing the actions of the authentication server.

In one example, the communication module 1503 is configured to receive a fifth message, where the fifth message includes the first electronic identity data and the first information;

a processing module 1502, configured to verify, according to the first electronic identity data, an identity of an electronic identity holder corresponding to the first electronic identity data; when the identity verification of the electronic identity holder passes, acquiring identity information required by a first service from all identity information of the electronic identity holder according to the first information;

the communication module 1503 is further configured to send a sixth message, where the sixth message includes the required identity information.

In one example, the communication module 1503 receives a fifth message comprising:

receiving the fifth message from the service server corresponding to the first service;

the communication module 1503 sending the sixth message includes:

and sending the sixth message to the service server.

In one example, before the communication module 1503 sends the sixth message, the communication module 1503 is further configured to receive, from the terminal, biometric information of the service requester of the first service; and when the biological characteristic information of the service request party is consistent with the biological characteristic information of the electronic identity holding party, sending the sixth message.

In one example, the first electronic identity data is signature data generated by performing signature calculation on business data of the first business by using a private key of the electronic identity holder; or the first electronic identity data is signature data generated by performing signature calculation on the service data of the first service and the first information by using a private key of the electronic identity holder;

the processing module 1502 verifies the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data, including:

and verifying the signature data according to the public key of the electronic identity holder so as to verify the identity of the electronic identity holder.

In one example, the processing module 1502 obtains identity information required for a first service from all identity information of the electronic identity holder according to the first information, including:

when the first information is a service application identifier for executing the first service and a service type identifier of the first service, determining a required identity information identifier corresponding to the first service according to a mapping table of prestored service application identifiers and required identity information identifiers, and acquiring the required identity information from all identity information of the electronic identity holder according to the required identity information identifier; alternatively, the first and second electrodes may be,

and when the first information is the required identity information identifier, acquiring the required identity information from all identity information of the electronic identity holder according to the required identity information identifier.

In an example, before the communication module 1503 receives the fifth message, the communication module 1503 is further configured to receive a seventh message from a service server corresponding to the first service, where the seventh message includes information of a service provider of the first service and an identity information customization indication;

the processing module 1502 is further configured to determine that the service provider of the first service is legal according to the information of the service provider, and customize, instruct, register, and customize the service according to the identity information;

the communication module 1503 is further configured to send an eighth message to the service server, where the eighth message is used to notify that the service provider is legal and that the identity information customization service is successfully registered.

In one example, the seventh message further includes a service application identification of the first service; after the processing module 1502 determines that the service provider is legal according to the information of the service provider of the first service, the processing module 1502 is further configured to add a service application identifier of the first service to a white list;

after the communication module 1503 receives the fifth message, the processing module 1502 is further configured to determine that the white list includes the service application identifier of the first service.

In one example, the seventh message further includes an identity information identifier required for the first service; the processing module 1502 is further configured to store the service application identifier and the required identity information identifier corresponding to the service application identifier in a mapping table.

In the embodiment of the present invention, the communication module 1503 is configured to receive a fifth message, where the fifth message includes first electronic identity data and first information; a processing module 1502, configured to verify, according to the first electronic identity data, an identity of an electronic identity holder corresponding to the first electronic identity data; when the identity verification of the electronic identity holder passes, acquiring identity information required by a first service from all identity information of the electronic identity holder according to the first information; the communication module 1503 is further configured to send a sixth message, where the sixth message includes the required identity information. Therefore, the verification server can send the required identity information while authenticating the identity, the service requester is not required to provide plaintext information for the service provider, leakage of key privacy data can be avoided, and redundancy of unnecessary information is avoided.

The Processing module 1502 may be a Processor or a controller, such as a Central Processing Unit (CPU), a general purpose Processor, a Digital Signal Processor (DSP), an Application-Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others. The communication module 1503 may be a communication interface, a transceiver circuit, etc., wherein the communication interface is generically referred to and may include one or more interfaces. The storage module 1501 may be a memory.

When the processing module 1502 is a processor, the communication module 1503 is a communication interface, and the storage module 1501 is a memory, the authentication server according to the embodiment of the present invention may be the authentication server shown in fig. 16.

Referring to fig. 16, the authentication server 1600 includes: a processor 1602, a communication interface 1603, and a memory 1601. The communication interface 1603, the processor 1602 and the memory 1601 may be connected to each other via a communication connection.

Fig. 17 is a schematic diagram of a communication device according to an embodiment of the present disclosure, and as shown in fig. 17, the communication device 1700 may be a chip including a processing unit and a communication unit. The processing unit may be a processor 1710, which may be of any of the various types described above. The communication unit, which may be, for example, an input/output interface 1720, a pin or a circuit, etc., may include or be connected to a system bus. Optionally, the communication device further includes a storage unit, which may be a memory 1730 inside the chip, such as a register, a cache, a Random Access Memory (RAM), an EEPROM, or a FLASH; the memory unit may also be a memory located outside the chip, which may be of the various types described hereinbefore. A processor is coupled to the memory, and the processor can execute the instructions stored in the memory to cause the communication device to perform the functions of the authentication server in the methods described above in fig. 4-11.

In the various embodiments of the invention described above, implementation may be in whole or in part via software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk), among others.

The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.

Claims

1. A method of obtaining identity information, the method comprising:

the method comprises the steps that a terminal sends a first message, wherein the first message comprises first electronic identity data and first information, the first electronic identity data is used for a verification server to verify the identity of an electronic identity holder corresponding to the first electronic identity data, and when the identity verification of the electronic identity holder passes, the first information is used for the verification server to obtain identity information required by a first service from all identity information of the electronic identity holder;

the terminal receives a second message, wherein the second message comprises the required identity information or an identity information check result obtained based on the required identity information;

the first information is a service application identifier for executing the first service and a service type identifier for the first service;

when the first information is a service application identifier for executing the first service and a service type identifier of the first service, the verification server determines a required identity information identifier corresponding to the first service according to a mapping table of pre-stored service application identifiers and required identity information identifiers, and the verification server acquires the required identity information from all identity information of the electronic identity holder according to the required identity information identifier.

2. The method of claim 1, wherein after the terminal receives the second message, the method further comprises:

and when the required identity information meets the requirement of executing the first service or the identity information check result is yes, the terminal executes the first service.

3. The method of claim 1 or 2, wherein the terminal sends a first message comprising:

the terminal sends the first message to a service server corresponding to the first service, wherein the first message further comprises indication information, and the indication information is used for indicating the service server to send the first electronic identity data and the first information to the verification server;

the terminal receiving the second message comprises:

and the terminal receives the second message from the service server.

4. The method of claim 1 or 2, wherein the method further comprises:

the terminal acquires the biological characteristic information of the service request party of the first service;

and when the biological characteristic information of the service request party is consistent with the biological characteristic information of the electronic identity holding party, the terminal executes the first service.

5. The method of claim 4, wherein prior to the terminal performing the first service, the method further comprises:

the terminal sends the biological characteristic information of the service request party to a service server corresponding to the first service, and the biological characteristic information of the service request party is used for comparing the biological characteristic information of the service request party with the biological characteristic information in the required identity information by the service server;

the terminal receives the result of the comparison from the service server.

6. The method of claim 1 or 2, wherein prior to the terminal sending the first message, the method further comprises:

the terminal uses a private key of the electronic identity holder to perform signature calculation on the service data of the first service to generate first electronic identity data; or the terminal acquires the first electronic identity data from the security device where the private key of the electronic identity holder is located, wherein the first electronic identity data is generated by the security device performing signature calculation on the service data of the first service by using the private key of the electronic identity holder.

7. The method of claim 1 or 2, wherein prior to the terminal sending the first message, the method further comprises:

the terminal uses a private key of the electronic identity holder to perform signature calculation on the service data of the first service and the first information to generate first electronic identity data; or the terminal acquires the first electronic identity data from the security device where the private key of the electronic identity holder is located, wherein the first electronic identity data is generated by the security device performing signature calculation on the service data of the first service and the first information by using the private key of the electronic identity holder.

8. The method of claim 1 or 2, wherein prior to the terminal sending the first message, the method further comprises:

the terminal determines an identity information identifier required by the first service;

the terminal determines the identity information identifier required by the first service, and the method comprises the following steps:

the terminal determines the required identity information identifier according to a mapping table of pre-stored service application identifiers and the required identity information identifier;

or, the terminal determines the required identity information identifier according to a user instruction;

or, the terminal receives the required identity information identifier from a service server corresponding to the first service.

9. The method of claim 1 or 2, wherein prior to the terminal sending the first message, the method further comprises:

the terminal sends a third message to a service server corresponding to the first service, wherein the third message is used for requesting the service server to register the identity information customization service required by the first service to the verification server;

and the terminal receives a fourth message from the service server, wherein the fourth message is used for informing that the identity information customizing service is successfully registered.

10. The method of claim 9, wherein after the terminal receives the fourth message from the service server, the method further comprises:

the terminal adds the service application identifier of the first service into a white list;

and after responding to the request for triggering the first service, the terminal determines that the white list comprises the service application identifier of the first service.

11. A method of obtaining identity information, the method comprising:

receiving a fifth message by the verification server, wherein the fifth message comprises first electronic identity data and first information;

the verification server verifies the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data;

when the identity verification of the electronic identity holder passes, the verification server acquires identity information required by a first service from all identity information of the electronic identity holder according to the first information;

the authentication server sending a sixth message, the sixth message including the required identity information;

12. The method of claim 11, wherein the authentication server receives a fifth message comprising:

the verification server receives the fifth message from the service server corresponding to the first service;

the authentication server sending a sixth message comprises:

and the authentication server sends the sixth message to the service server.

13. The method of claim 11 or 12, wherein prior to the authentication server sending a sixth message, the method further comprises:

the authentication server receives the biological characteristic information of the service requester of the first service from the terminal;

and when the biological characteristic information of the service request party is consistent with the biological characteristic information of the electronic identity holding party, the verification server sends the sixth message.

14. The method according to claim 11 or 12, wherein the first electronic identity data is signature data generated by a signature calculation of the service data of the first service using a private key of the electronic identity holder; or the first electronic identity data is signature data generated by performing signature calculation on the service data of the first service and the first information by using a private key of the electronic identity holder;

the authentication server authenticates the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data, and the authentication server comprises:

and the verification server verifies the signature data according to the public key of the electronic identity holder so as to verify the identity of the electronic identity holder.

15. The method of claim 11 or 12, wherein prior to the authentication server receiving the fifth message, the method further comprises:

the authentication server receives a seventh message from a service server corresponding to the first service, wherein the seventh message comprises information of a service provider of the first service and an identity information customization indication; the verification server determines that the service provider is legal according to the information of the service provider of the first service, and customizes and indicates registration identity information customization service according to the identity information;

and the verification server sends an eighth message to the service server, wherein the eighth message is used for informing that the service provider is legal and the identity information customization service is successfully registered.

16. The method of claim 15, the seventh message further comprising a service application identification of the first service; after the authentication server determines that the service provider of the first service is legal according to the information of the service provider, the method further includes:

the verification server adds the service application identification of the first service into a white list;

after the authentication server receives the fifth message, the method further comprises:

and the verification server determines that the white list comprises the service application identification of the first service.

17. The method of claim 16, wherein the seventh message further comprises an identification of identity information required for the first service; the method further comprises the following steps:

and the verification server stores the service application identifier and the required identity information identifier corresponding to the service application identifier in a mapping table.

18. A terminal, characterized in that the terminal comprises:

the communication module is used for sending a first message, wherein the first message comprises first electronic identity data and first information, the first electronic identity data is used for a verification server to verify the identity of an electronic identity holder corresponding to the first electronic identity data, and when the identity verification of the electronic identity holder passes, the first information is used for the verification server to acquire identity information required by a first service from all identity information of the electronic identity holder; receiving a second message, wherein the second message comprises the required identity information or an identity information check result obtained based on the required identity information;

19. The terminal of claim 18, wherein the terminal further comprises a processing module; after the communication module receives the second message, the processing module is configured to execute the first service when the required identity information meets the requirement for executing the first service or the identity information check result is yes.

20. The terminal of claim 18 or 19, wherein the communication module sends a first message comprising: sending the first message to a service server corresponding to the first service, wherein the first message further comprises indication information, and the indication information is used for indicating the service server to send the first electronic identity data and the first information to the verification server;

the communication module receiving the second message comprises: receiving the second message from the service server.

21. The terminal according to claim 18 or 19, characterized in that the terminal further comprises:

the acquisition module is used for acquiring the biological characteristic information of the service requester of the first service;

and the processing module is used for executing the first service when the biological characteristic information of the service request party is consistent with the biological characteristic information of the electronic identity holding party.

22. The terminal of claim 21, wherein before the processing module executes the first service, the communication module is further configured to send biometric information of the service requester to a service server corresponding to the first service, where the biometric information of the service requester is used by the service server to compare the biometric information of the service requester with biometric information in the required identity information; receiving a result of the comparison from the traffic server.

23. The terminal according to claim 18 or 19, wherein the terminal further comprises a processing module; before the communication module sends the first message, the processing module is configured to perform signature computation on the service data of the first service using a private key of the electronic identity holder to generate the first electronic identity data; or, the communication module is further configured to obtain the first electronic identity data from a security device where the private key of the electronic identity holder is located, where the first electronic identity data is generated by the security device performing signature calculation on the service data of the first service by using the private key of the electronic identity holder.

24. The terminal according to claim 18 or 19, wherein the terminal further comprises a processing module; before the communication module sends the first message, the processing module is configured to perform signature computation on the service data of the first service and the first information using a private key of the electronic identity holder to generate the first electronic identity data; or, the communication module is further configured to obtain the first electronic identity data from a security device where the private key of the electronic identity holder is located, where the first electronic identity data is generated by the security device performing signature calculation on the service data of the first service and the first information by using the private key of the electronic identity holder.

25. The terminal according to claim 18 or 19, wherein before the communication module sends the first message, the processing module is further configured to determine an identity information identifier required for the first service;

the processing module is configured to determine an identity information identifier required by the first service, and includes:

or, receiving the required identity information identifier from the service server corresponding to the first service through the communication module.

26. The terminal of claim 18 or 19, wherein before the communication module sends the first message, the communication module is further configured to send a third message to a service server corresponding to the first service, where the third message is used to request the service server to register, with the authentication server, an identity information customization service required by the first service; and receiving a fourth message from the service server, wherein the fourth message is used for informing that the identity information customizing service is successfully registered.

27. The terminal of claim 26, wherein the terminal further comprises a processing module; after the communication module receives the fourth message from the service server, the processing module is further configured to add the service application identifier of the first service to a white list; and after responding to the request for triggering the first service, determining that the white list comprises the service application identifier of the first service.

28. An authentication server, characterized in that the authentication server comprises:

a communication module, configured to receive a fifth message, where the fifth message includes first electronic identity data and first information;

the processing module is used for verifying the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data; when the identity verification of the electronic identity holder passes, acquiring identity information required by a first service from all identity information of the electronic identity holder according to the first information;

the communication module is further configured to send a sixth message, where the sixth message includes the required identity information;

29. The authentication server of claim 28, wherein the communication module receives a fifth message comprising:

the communication module sending the sixth message comprises:

and sending the sixth message to the service server.

30. The authentication server according to claim 28 or 29, wherein before the communication module sends the sixth message, the communication module is further configured to receive biometric information of the service requester of the first service from the terminal; and when the biological characteristic information of the service request party is consistent with the biological characteristic information of the electronic identity holding party, sending the sixth message.

31. The authentication server according to claim 28 or 29, wherein the first electronic identity data is signature data generated by a signature calculation of the service data of the first service using a private key of the electronic identity holder; or the first electronic identity data is signature data generated by performing signature calculation on the service data of the first service and the first information by using a private key of the electronic identity holder;

the processing module verifies the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data, and the method comprises the following steps:

32. The authentication server according to claim 28 or 29, wherein before the communication module receives the fifth message, the communication module is further configured to receive a seventh message from a service server corresponding to the first service, where the seventh message includes information of a service provider of the first service and an identity information customization indication;

the processing module is further configured to determine that the service provider is legal according to the information of the service provider of the first service, and customize, instruct, register, and customize the service according to the identity information;

the communication module is further configured to send an eighth message to the service server, where the eighth message is used to notify that the service provider is legal and that the identity information customization service is successfully registered.

33. The authentication server of claim 32, said seventh message further comprising a service application identification of said first service; after the processing module determines that the service provider is legal according to the information of the service provider of the first service, the processing module is further configured to add a service application identifier of the first service to a white list;

after the communication module receives the fifth message, the processing module is further configured to determine that the white list includes the service application identifier of the first service.

34. The authentication server of claim 33, wherein the seventh message further comprises an identification of identity information required for the first service; the processing module is further configured to store the service application identifier and the required identity information identifier corresponding to the service application identifier in a mapping table.

35. A terminal, characterized in that the terminal comprises: a memory, a processor, and a communication interface;

the terminal is adapted to perform the method of acquiring identity information according to any of claims 1-10.

36. An authentication server, characterized in that the authentication server comprises: a memory, a processor, and a communication interface;

the authentication server is adapted to perform the method of obtaining identity information according to any of claims 11-17.

37. A communication apparatus, comprising a processor configured to enable the communication apparatus to perform the method according to any one of claims 1 to 17.

38. A computer-readable storage medium comprising instructions that, when executed on a computer, cause the computer to perform the method of any of claims 1 to 17.